virus has a left a present

[egon]

Hi,
I know that my problem is not new but as I read all posts related to my problem it seems to me, that every person was advised different solution as it very much depends on the individual problems, hence I am posting mine.
So yes, I am one of those who got virus, most probably. My laptop is painfully slow, google keeps redirecting me to different websites and I receive threats.
So I did scans: a regular AVG, Norton Security, Superantispyware, ad-aware, Malwarebytes' Anti-Malware, I installed them, did the scan, uninstalled and installed next......so that they do not interfere with each other. Every of them found some trojan stuff, rootkit, worm...which was quarantined and removed. Now the scan shows 0 infected objects, but still my laptop is slow and results of google search redirect me wherever they want.
Any advice?
Thanks

[Allan]

Go to the malware forum on this site and follow the instructions at the top of that page

[egon]

Could you help me where to look, is it among the forum entries?
Thanks

[Allan]

http://www.computerhope.com/forum/index.php/topic,46313.0.html

[egon]

Thank you. I will read it now.

[egon]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:10:30, on 01/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\O2\bin\sprtcmd.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {129D5B77-4E2B-4FE2-810F-77B9DD60D2Ad} - C:\WINDOWS\System32\d3dx9_2532.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Nero Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O15 - Trusted Zone: http://*.broadband.o2.co.uk
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1017271221461
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\,C:\WINDOWS\System32\eappcfg32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: a469ebf9724 - C:\WINDOWS\System32\eappcfg32.dll (file missing)
O20 - Winlogon Notify: Antiwpa - antiwpa.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

--
End of file - 8595 bytes

[egon]

Any other info you need?
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/01/2010 at 04:39 PM

Application Version : 4.32.1000

Core Rules Database Version : 4437
Trace Rules Database Version: 2263

Scan type       : Complete Scan
Total Scan Time : 00:47:08

Memory items scanned      : 447
Memory threats detected   : 0
Registry items scanned    : 5219
Registry threats detected : 0
File items scanned        : 35886
File threats detected     : 0

Malwarebytes' Anti-Malware 1.43
Database version: 3468
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

01/01/2010 14:55:42
mbam-log-2010-01-01 (14-55-42).txt

Scan type: Quick Scan
Objects scanned: 114751
Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[SuperDave]

Hello egon and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

I noticed in your HJT log that you are running a P2P file-sharing program (BitTorrent) on your computer. While the program itself is probably safe, the files you download with this program are a major source of infections. Therefore, I strongly urge you to uninstall it.

Add or Remove Programs

1. Click on the Windows Start button and click on the Control Panel
2. In the Control Panel window, double-click Add or Remove Programs icon.
3. When the Add or Remove Programs window has fully populated, check for Ask.com and uninstall it.

Click Start. My Computer.
Select the Tools menu Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Click Start, Search, select All Files and Folders. Copy and paste

Code: [Select]

C:\WINDOWS\System32\eappcfg32.dll and click search. Delete this file.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: (no name) - {129D5B77-4E2B-4FE2-810F-77B9DD60D2Ad} - C:\WINDOWS\System32\d3dx9_2532.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file)
O3 - Toolbar: Nero Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\,C:\WINDOWS\System32\eappcfg32.dll
O20 - Winlogon Notify: a469ebf9724 - C:\WINDOWS\System32\eappcfg32.dll (file missing)
O20 - Winlogon Notify: Antiwpa - antiwpa.dll (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[egon]

In the Add or Remove Programs I could not find any programme Ask.com, I just found nero toolbar, next to which was an icon 'ask', so I deleted that one (I reckon it is unimportant, anyway).
Next step was to delete that C:\WINDOWS\System32\eappcfg32.dll stuff, but I followed your instructions verbatim but the system did not find any folder with such a name.
Are you positive it should be somewehere there or can I just continue following instructions?
Thanks

[SuperDave]

In the Add or Remove Programs I could not find any programme Ask.com,

Ok. Let's see if we can find it this way.

Delete An Uninstall Entry

•Start HijackThis

•Click on the Open the Misc Tools section

•Click on the Open Uninstall Manager button.

•Highlight the entry you want to remove.
•Click Delete this entry

Next step was to delete that C:\WINDOWS\System32\eappcfg32.dll stuff, but I followed your instructions verbatim but the system did not find any folder with such a name.

That's ok. The log said that the file was missing but I just wanted to make sure. Please proceed with the next steps.

[egon]

HijackThis also does not list ask.com. I do not know whether it is OK to proceed or we have to get rid of this ask.com first.
Thanks.

[SuperDave]

Ok egon. Run ComboFix. We'll see if it's hiding in there.

[egon]

ComboFix 10-01-04.01 -  06/01/2010   9:21.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.509.280 [GMT 0:00]
Running from: c:\documents and settings\L
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Lucia & Stefan\Application Data\020000008d5a2e7c724C.manifest
c:\documents and settings\Lucia & Stefan\Application Data\020000008d5a2e7c724O.manifest
c:\documents and settings\Lucia & Stefan\Application Data\020000008d5a2e7c724P.manifest
c:\documents and settings\Lucia & Stefan\Application Data\020000008d5a2e7c724S.manifest
c:\documents and settings\Lucia & Stefan\Application Data\Mozilla\Firefox\Profiles\ms9jzg7w.default\extensions\{7a720d48-2029-4e0a-84d1-3123e3a12f50}
c:\documents and settings\Lucia & Stefan\Application Data\Mozilla\Firefox\Profiles\ms9jzg7w.default\extensions\{7a720d48-2029-4e0a-84d1-3123e3a12f50}\chrome.manifest
c:\documents and settings\Lucia & Stefan\Application Data\Mozilla\Firefox\Profiles\ms9jzg7w.default\extensions\{7a720d48-2029-4e0a-84d1-3123e3a12f50}\chrome\xulcache.jar
c:\documents and settings\Lucia & Stefan\Application Data\Mozilla\Firefox\Profiles\ms9jzg7w.default\extensions\{7a720d48-2029-4e0a-84d1-3123e3a12f50}\defaults\preferences\xulcache.js
c:\documents and settings\Lucia & Stefan\Application Data\Mozilla\Firefox\Profiles\ms9jzg7w.default\extensions\{7a720d48-2029-4e0a-84d1-3123e3a12f50}\install.rdf
c:\documents and settings\Lucia & Stefan\Application Data\SystemProc
C:\setup.exe
c:\windows\system32\375098526
c:\windows\system32\CRqBd.vbs
c:\windows\system32\d3d10core.dll
c:\windows\system32\ids2IZ0.vbs
c:\windows\system32\kernel32new.dll
c:\windows\system32\msvcrtnew.dll
c:\windows\system32\unrar.exe

----- BITS: Possible infected sites -----

hxxp://sync.broadband.o2.co.uk:8080
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\system32\winlogon.bak

.
(((((((((((((((((((((((((   Files Created from 2009-12-06 to 2010-01-06  )))))))))))))))))))))))))))))))
.

2010-01-01 17:06 . 2010-01-01 17:06   --------   d-----w-   c:\program files\Trend Micro
2010-01-01 17:04 . 2010-01-01 17:04   --------   d-----w-   c:\documents and settings\Lucia & Stefan\Local Settings\Application Data\AVG Security Toolbar
2010-01-01 14:31 . 2010-01-01 14:31   --------   d-----w-   c:\documents and settings\Lucia & Stefan\Application Data\Malwarebytes
2010-01-01 14:31 . 2009-12-30 14:55   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 14:31 . 2010-01-01 14:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-01 14:31 . 2010-01-01 14:31   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-01 14:31 . 2009-12-30 14:54   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-01 10:03 . 2010-01-01 10:03   52224   ----a-w-   c:\documents and settings\Lucia & Stefan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-01 10:03 . 2010-01-01 10:03   117760   ----a-w-   c:\documents and settings\Lucia & Stefan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-01 10:02 . 2010-01-01 10:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-01 10:00 . 2010-01-01 10:01   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-01-01 10:00 . 2010-01-01 10:00   --------   d-----w-   c:\documents and settings\Lucia & Stefan\Application Data\SUPERAntiSpyware.com
2010-01-01 09:57 . 2010-01-01 09:57   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-12-31 12:25 . 2009-12-31 12:25   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2009-12-31 09:54 . 2010-01-01 14:42   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\~0
2009-12-31 09:51 . 2010-01-01 14:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-31 09:50 . 2009-12-30 05:36   2033432   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-12-30 05:56 . 2009-12-30 05:36   916248   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-30 05:37 . 2009-12-30 05:37   --------   d-----w-   C:\$AVG
2009-12-30 05:37 . 2009-12-30 05:37   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-12-30 05:37 . 2009-12-30 05:37   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-12-30 05:37 . 2009-12-30 05:37   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-12-30 05:37 . 2009-12-30 05:37   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-12-30 05:36 . 2010-01-05 18:08   --------   d-----w-   c:\windows\system32\drivers\Avg
2009-12-30 05:36 . 2009-12-30 05:39   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-12-27 15:44 . 2010-01-01 09:36   --------   d-----w-   c:\program files\Gabest
2009-12-27 14:29 . 2009-12-27 14:59   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2009-12-27 14:22 . 2009-12-28 13:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2009-12-27 14:22 . 2009-12-27 14:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\Symantec
2009-12-27 14:22 . 2009-12-27 14:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-25 13:56 . 2009-12-28 15:40   --------   d-----w-   c:\program files\QuickTime
2009-12-24 19:24 . 2009-12-24 19:24   --------   d-----w-   c:\program files\Common Files\DivX Shared
2009-12-22 19:21 . 2009-12-30 05:53   4043544   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-22 19:21 . 2009-12-30 05:36   3776280   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-22 19:21 . 2009-12-19 13:59   294656   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-12-22 19:21 . 2009-12-30 05:51   3966744   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-19 15:11 . 2009-12-19 15:11   --------   d-----w-   c:\documents and settings\Lucia & Stefan\Application Data\Nero
2009-12-19 15:08 . 2009-12-19 15:09   --------   d-----w-   c:\program files\Nero
2009-12-19 15:07 . 2009-12-19 15:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Nero
2009-12-19 15:07 . 2009-12-19 15:10   --------   d-----w-   c:\program files\Common Files\Nero
2009-12-19 14:00 . 2009-12-30 05:36   2352920   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 09:29 . 2009-06-09 07:48   --------   d-----w-   c:\program files\DNA
2010-01-06 09:29 . 2009-06-09 07:48   --------   d-----w-   c:\documents and settings\Lucia & Stefan\Application Data\DNA
2010-01-06 08:11 . 2009-11-14 09:30   0   ----a-w-   c:\documents and settings\Lucia & Stefan\Local Settings\Application Data\prvlcl.dat
2010-01-02 10:07 . 2008-08-20 19:27   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-01-01 16:53 . 2009-01-17 08:28   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-01-01 09:37 . 2009-01-01 10:20   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-01-01 09:37 . 2009-01-01 10:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-30 05:44 . 2002-03-28 00:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2009-12-28 15:45 . 2009-01-17 08:30   --------   d-----w-   c:\documents and settings\Lucia & Stefan\Application Data\LimeWire
2009-12-28 15:45 . 2009-01-17 08:24   --------   d-----w-   c:\program files\LimeWire
2009-12-27 17:17 . 2009-11-22 07:30   --------   d-----w-   c:\documents and settings\Lucia & Stefan\Application Data\Skype
2009-12-27 16:03 . 2009-11-24 08:02   --------   d-----w-   c:\documents and settings\Lucia & Stefan\Application Data\skypePM
2009-12-25 13:56 . 2008-09-27 14:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-24 19:24 . 2008-09-27 14:23   --------   d-----w-   c:\program files\DivX
2009-12-09 16:18 . 2009-11-12 06:40   79488   ----a-w-   c:\documents and settings\Lucia & Stefan\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 08:02 . 2009-11-24 08:02   56   ---ha-w-   c:\windows\system32\ezsidmv.dat
2009-11-22 06:45 . 2009-11-22 06:43   --------   d-----r-   c:\program files\Skype
2009-11-22 06:44 . 2009-11-22 06:44   --------   d-----w-   c:\program files\Common Files\Skype
2009-11-22 06:43 . 2009-11-22 06:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skype
2009-11-15 18:34 . 2009-11-15 18:34   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Trusteer
2009-11-14 11:01 . 2009-11-14 11:01   --------   d-----w-   c:\documents and settings\Lucia & Stefan\Application Data\Trusteer
2009-11-14 11:00 . 2009-11-14 11:00   --------   d-----w-   c:\program files\Trusteer
2009-11-14 10:59 . 2009-11-14 10:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\Trusteer
2009-11-14 10:58 . 2009-11-14 10:58   144616   ----a-w-   C:\RapportSetup.exe
2008-03-09 06:25 . 2009-08-15 06:42   236   ----a-w-   c:\program files\Common Files\dx.reg
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01   1230080   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2002-03-27 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-23 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-31 2033432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-01 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-30 05:37   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Wave1"=AntexWAV.DLL
"Midi"=AntexWAV.DLL
"Mixer"=AntexWAV.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [30/12/2009 05:37 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [30/12/2009 05:37 360584]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [12/11/2009 09:23 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [12/11/2009 09:23 334440]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [30/12/2009 05:36 285392]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [12/11/2009 09:23 972008]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [04/03/2009 15:52 202016]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
Trusted Zone: o2.co.uk\*.broadband
FF - ProfilePath - c:\documents and settings\Lucia & Stefan\Application Data\Mozilla\Firefox\Profiles\ms9jzg7w.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll

---- FIREFOX POLICIES ----
 .
- - - - ORPHANS REMOVED - - - -

BHO-{129D5B77-4E2B-4FE2-810F-77B9DD60D2Ad} - c:\windows\System32\d3dx9_2532.dll
HKCU-Run-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe
Notify-a469ebf9724 - c:\windows\System32\eappcfg32.dll
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
AddRemove-2kv4.8.442 - c:\windows\Radeon Omega Drivers v4.8.442



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 09:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3668)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\program files\Trusteer\Rapport\bin\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
.
**************************************************************************
.
Completion time: 2010-01-06  09:34:08 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-06 09:34

Pre-Run: 25,165,131,776 bytes free
Post-Run: 25,189,146,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 749202DE503D4BC0F23A67F6FA547A8B

[SuperDave]

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[egon]

Eset:
C:\Qoobox\Quarantine\C\WINDOWS\system32\CRqBd.vbs.vir   VBS/Disabler.NAB trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ids2IZ0.vbs.vir   VBS/Disabler.NAB trojan   cleaned by deleting - quarantined