Computer Hope

Software => Computer viruses and spyware => Topic started by: dyjodapa on September 04, 2010, 06:00:59 PM

Title: virus
Post by: dyjodapa on September 04, 2010, 06:00:59 PM

Hi,

I ran both Malwarebytes and Superanti Spyware both came back clean. But when I scanned with Avast it found 25+ infections. Also this computer cannot get internet. I am posting a HijackThis log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:48 PM, on 9/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Emsisoft\Online Armor\OAcat.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Emsisoft\Online Armor\OAui.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision                                                     - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Online Armor Helper Service (OAcat) - Emsi Software GmbH - C:\Program Files\Emsisoft\Online Armor\OAcat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Emsi Software GmbH - C:\Program Files\Emsisoft\Online Armor\oasrv.exe

--
End of file - 3957 bytes

Title: Re: virus
Post by: SuperDave on September 05, 2010, 07:12:54 PM

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

You may have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************
Download the Fix IE Utility (http://www.majorgeeks.com/Fix_IE_Utility_d6256.html) to your desktop.

Before running the utility, make sure that all your Internet Explorer windows are closed!

* Extract the contents of the .zip file to your desktop.
* Double click the Fix IE Utility button to run the tool.
* Click Run Utility
* Click OK when you see 'Re-registered all files'
* Open Internet Explorer and see how it works.

Title: Re: virus
Post by: dyjodapa on September 05, 2010, 07:16:31 PM

Dave,

What I meant by the internet isn't working is I don't have any connection to connect it to.

Thanks

Title: Re: virus
Post by: SuperDave on September 06, 2010, 05:13:18 PM

Are you connected to a modem or a router? I don't understand when you say you don't have any connection to connect it to. Please explain.

Title: Re: virus
Post by: dyjodapa on September 06, 2010, 06:34:30 PM

Hi Dave,

Okay most of my connections are to my router. I took a wireless card from a diffrent computer and put it in the infected one. But even though it worked on the other computer in the same location it didn't work on the infected one. The wireless card is a TP link TL-WN353G.

Title: Re: virus
Post by: SuperDave on September 07, 2010, 01:11:53 PM

Please download the Fix IE Utility on another computer and transfer it to the infected computer and follow the instructions in Reply # 1

Title: Re: virus
Post by: dyjodapa on September 07, 2010, 08:31:38 PM

Still no luck getting on the internet.

Title: Re: virus
Post by: SuperDave on September 08, 2010, 10:36:28 AM

Please uninstall HJT from your computer, download this one and run another scan. The previous scan seems incomplete. Also run these other scans and post the logs.

Please download: HiJackThis (http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe) to your Desktop.

• Double Click the HijackThis icon, located on your Desktop.
  
• By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
• Accept the license agreement.
• Click the Open the Misc Tools section button.
  
• Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
  
• Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
  
• Please post the log in your next reply.
  

************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS) (http://www.superantispyware.com/download.html)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
**************************************
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here (http://www.malwarebytes.org/mbam/program/mbam-setup.exe).

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Title: Re: virus
Post by: dyjodapa on September 09, 2010, 03:09:50 PM

Here are the logs.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:36 PM, on 9/8/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Emsisoft\Online Armor\OAcat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TP-LINK\TL-WN313G_353G_353GD\RtWLan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (filesize 75128 bytes, MD5 E96C752BBA0E22330A43258FC800200E)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (filesize 256112 bytes, MD5 783AD24A77CD964B9888F27535FCC56E)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll (filesize 762864 bytes, MD5 927558FA159FED54852692D729039E67)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (filesize 458736 bytes, MD5 CB84DFAFF68CD27E840251343B9B8E99)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (filesize 256112 bytes, MD5 783AD24A77CD964B9888F27535FCC56E)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (filesize 34672 bytes, MD5 69B16C7B7746BA5C642FC05B3561FC73)
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Emsisoft\Online Armor\OAui.exe" (filesize 6854984 bytes, MD5 83A94A797C3D23EF02AFA5F73B691D0C)
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (filesize 68856 bytes, MD5 E616A6A6E91B0A86F2F6217CDE835FFE)
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: TP-LINK Wireless Utility.lnk = C:\Program Files\TP-LINK\TL-WN313G_353G_353GD\RtWLan.exe (filesize 790528 bytes, MD5 0CD0E64A950F2A5B9F5BF9FE982F2304)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1667584 bytes, MD5 B53343FE60A33EE765C2476D50D27B26)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1667584 bytes, MD5 B53343FE60A33EE765C2476D50D27B26)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll (filesize 103792 bytes, MD5 6DE7BF0DADC0881F7ED82D9FCC998B89)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLC:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeC:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeC:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision                                                     - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exeC:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Online Armor Helper Service (OAcat) - Emsi Software GmbH - C:\Program Files\Emsisoft\Online Armor\OAcat.exeC:\Program Files\Emsisoft\Online Armor\OAcat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Emsi Software GmbH - C:\Program Files\Emsisoft\Online Armor\oasrv.exeC:\Program Files\Emsisoft\Online Armor\oasrv.exe

--
End of file - 5732 bytes


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/08/2010 at 10:44 PM

Application Version : 4.41.1000

Core Rules Database Version : 5472
Trace Rules Database Version: 3284

Scan type       : Complete Scan
Total Scan Time : 03:48:03

Memory items scanned      : 377
Memory threats detected   : 0
Registry items scanned    : 3658
Registry threats detected : 0
File items scanned        : 73366
File threats detected     : 11

Adware.Unknown Origin
   C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\FFIW\FFIWD\CLASS-BARREL.VIR
   C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\FFIW\FFIWD\VOCABULARY.VIR

Adware.ClickSpring
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{F33DCF01-FD1C-46EA-996C-995155498677}\RP88\A0051186.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{F33DCF01-FD1C-46EA-996C-995155498677}\RP88\A0051187.EXE

Trojan.Fake-Drop/Gen
   C:\WINNT\BASE64.TMP
   C:\WINNT\ZIP1.TMP
   C:\WINNT\ZIP2.TMP
   C:\WINNT\ZIP3.TMP
   C:\WINNT\ZIPPED.TMP

Trojan.Unknown Origin
   C:\WINNT\SYSTEM32\NIPGBATCFQH.BMP

Browser Hijacker.Rogue-Gen
   C:\WINNT\WEB\DEF.HTM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

9/9/2010 8:28:28 AM
mbam-log-2010-09-09 (08-28-28).txt

Scan type: Full scan (C:\|)
Objects scanned: 203429
Time elapsed: 55 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Title: Re: virus
Post by: SuperDave on September 09, 2010, 04:16:10 PM

Download Disable/Remove Windows Messenger  (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

***********************************

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1667584 bytes, MD5 B53343FE60A33EE765C2476D50D27B26)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1667584 bytes, MD5 B53343FE60A33EE765C2476D50D27B26)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
*************************************
Download ComboFix by sUBs from one of the below links. 

Important! You MUST save ComboFix to your desktop

link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link # 2 (http://subs.geekstogo.com/ComboFix.exe)

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.
 
Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

Title: Re: virus
Post by: dyjodapa on September 09, 2010, 05:20:11 PM

here is the log

ComboFix 10-09-09.03 - Williamson 09/09/2010  18:06:39.2.1 - x86
Running from: E:\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Defender Pro Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Defender Pro Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2010-08-09 to 2010-09-09  )))))))))))))))))))))))))))))))
.

2010-09-09 21:33 . 2010-09-09 21:33   --------   d-----w-   c:\windows\LastGood
2010-09-07 00:16 . 2010-09-07 00:16   21035   ----a-w-   c:\windows\system32\drivers\AegisP.sys
2010-09-07 00:15 . 2007-07-18 20:22   306688   ----a-w-   c:\windows\system32\drivers\rtl8185.sys
2010-09-07 00:15 . 2006-11-15 21:23   38144   ----a-w-   c:\windows\system32\drivers\EAPPkt.sys
2010-09-07 00:15 . 2010-09-07 00:15   --------   d-----w-   c:\windows\system32\TP-LINK Wireless Adapter Driver and Utility
2010-09-07 00:15 . 2010-09-07 00:15   --------   d-----w-   c:\program files\TP-LINK
2010-09-04 18:12 . 2010-09-04 18:13   --------   d-----w-   c:\documents and settings\Williamson\Application Data\OnlineArmor
2010-09-04 18:12 . 2010-09-04 18:12   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\OnlineArmor
2010-08-26 02:12 . 2010-09-08 22:36   63488   ----a-w-   c:\documents and settings\Williamson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-26 02:12 . 2010-08-26 02:12   52224   ----a-w-   c:\documents and settings\Williamson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-26 02:11 . 2010-09-08 22:35   117760   ----a-w-   c:\documents and settings\Williamson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-26 02:09 . 2010-08-26 02:10   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-08-26 02:06 . 2010-07-07 17:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-08-26 02:06 . 2010-07-07 17:25   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-08-26 02:06 . 2010-07-07 17:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-08-26 02:06 . 2010-08-26 02:06   --------   d-----w-   c:\program files\Emsisoft
2010-08-26 00:39 . 2010-06-28 20:32   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-08-26 00:39 . 2010-06-28 20:37   165456   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-08-26 00:39 . 2010-06-28 20:33   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-08-26 00:39 . 2010-06-28 20:37   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-08-26 00:39 . 2010-06-28 20:32   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-08-26 00:39 . 2010-06-28 20:32   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-08-26 00:39 . 2010-06-28 20:32   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-08-26 00:38 . 2010-06-28 20:57   38848   ----a-w-   c:\windows\avastSS.scr
2010-08-26 00:38 . 2010-06-28 20:57   165032   ----a-w-   c:\windows\system32\aswBoot.exe
2010-08-26 00:38 . 2010-08-26 00:38   --------   d-----w-   c:\program files\Alwil Software
2010-08-26 00:38 . 2010-08-26 00:38   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-08-20 18:01 . 2001-08-18 03:36   5632   ----a-w-   c:\windows\system32\ptpusb.dll
2010-08-20 18:01 . 2004-08-04 04:58   15104   -c--a-w-   c:\windows\system32\dllcache\usbscan.sys
2010-08-20 18:01 . 2004-08-04 04:58   15104   ----a-w-   c:\windows\system32\drivers\usbscan.sys
2010-08-20 18:01 . 2004-08-04 06:56   159232   ----a-w-   c:\windows\system32\ptpusd.dll
2010-08-20 00:59 . 2010-08-20 00:59   --------   d-----w-   c:\documents and settings\Williamson\Application Data\InstallShield
2010-08-20 00:18 . 2010-08-20 00:18   --------   d-----w-   c:\documents and settings\Williamson\Application Data\Malwarebytes
2010-08-20 00:18 . 2010-04-29 20:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-20 00:18 . 2010-08-20 00:18   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-08-20 00:18 . 2010-04-29 20:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-08-20 00:18 . 2010-08-20 00:18   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-08-19 17:50 . 2009-11-27 17:33   17920   -c----w-   c:\windows\system32\dllcache\msyuv.dll
2010-08-19 17:50 . 2009-11-27 17:33   1291264   -c----w-   c:\windows\system32\dllcache\quartz.dll
2010-08-19 17:50 . 2009-12-14 07:35   33280   -c----w-   c:\windows\system32\dllcache\csrsrv.dll
2010-08-19 17:50 . 2010-02-26 06:12   474112   -c----w-   c:\windows\system32\dllcache\shlwapi.dll
2010-08-19 17:50 . 2008-10-23 13:01   283648   -c----w-   c:\windows\system32\dllcache\gdi32.dll
2010-08-19 17:49 . 2009-08-05 09:11   204800   -c----w-   c:\windows\system32\dllcache\mswebdvd.dll
2010-08-18 16:23 . 2010-08-18 16:23   --------   d-----w-   c:\documents and settings\Williamson\Local Settings\Application Data\Identities
2010-08-18 16:09 . 2010-08-18 16:09   --------   d-----w-   c:\documents and settings\Williamson\Local Settings\Application Data\Adobe
2010-08-18 00:44 . 2010-08-18 00:44   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-08-18 00:44 . 2010-08-18 00:44   --------   d-----w-   c:\documents and settings\Williamson\Application Data\SUPERAntiSpyware.com
2010-08-17 23:53 . 2010-08-17 23:53   --------   d-----w-   c:\program files\Trend Micro

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 00:15 . 2002-03-21 00:12   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-08-24 02:42 . 2010-01-01 22:26   --------   d-----w-   c:\program files\Common Files\BitDefender
2010-08-24 02:41 . 2010-01-11 02:47   81984   ----a-w-   c:\windows\system32\bdod.bin
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\OAui.exe" [2010-07-07 6854984]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
TP-LINK Wireless Utility.lnk - c:\program files\TP-LINK\TL-WN313G_353G_353GD\RtWLan.exe [2010-9-6 790528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-07 924488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/25/2010 7:39 PM 165456]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [8/25/2010 9:06 PM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [8/25/2010 9:06 PM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [8/25/2010 9:06 PM 28232]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/25/2010 7:39 PM 17744]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [9/6/2010 7:15 PM 38144]
R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [8/25/2010 9:06 PM 1283400]
S2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [8/25/2010 9:06 PM 3364680]
.
Contents of the 'Scheduled Tasks' folder

2008-05-11 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2001-08-30 07:56]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-09 18:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(448)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-09-09  18:23:54
ComboFix-quarantined-files.txt  2010-09-09 23:23
ComboFix2.txt  2010-09-06 06:11

Pre-Run: 2,842,435,584 bytes free
Post-Run: 2,902,962,176 bytes free

- - End Of File - - 9367A6B62AA466156924C53B223BDD0D

Title: Re: virus
Post by: SuperDave on September 10, 2010, 01:21:23 PM

The log shows that you're running two AV programs on your computer. avast! Antivirus and Defender Pro Antivirus. You should never run more than one AV and on firewall progam on your computer. One will have to be disabled. You can still use both for scanning purposes.

Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
• Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Title: Re: virus
Post by: dyjodapa on September 10, 2010, 03:58:29 PM

Dave,

When I try to save the log i get a message that says not enough system resources to save.

Title: Re: virus
Post by: SuperDave on September 10, 2010, 04:32:12 PM

How much RAM are you running? (Right-click on My Computer and select Properties. You should see how much RAM you have.) How much free space do you have on your C: drive? ( Open My Computer, right-click on the C: drive and you will see how much free space you have.)

Title: Re: virus
Post by: dyjodapa on September 10, 2010, 04:47:40 PM

128MB of ram and free space on hard drive 2.72 GB.

Title: Re: virus
Post by: SuperDave on September 10, 2010, 05:41:37 PM

You need at least 15% free space otherwise, you're going to have problems running your computer. You will have to find some way of freeing up more space on your C drive. Transfer some personal files to a second or external drive or save them on DVD-RW's .

Title: Re: virus
Post by: dyjodapa on September 11, 2010, 01:57:36 PM

Hi Dave,

I got the free space up to 8.42 GB on a 16.8 GB drive I will try the GMER scan again.

Title: Re: virus
Post by: dyjodapa on September 11, 2010, 02:42:30 PM

I still got the same error.

Title: Re: virus
Post by: dyjodapa on September 11, 2010, 03:33:02 PM

Hi,

I just ran Avast! on the infected computer no infections found.

Title: Re: virus
Post by: SuperDave on September 11, 2010, 05:42:28 PM

Please try this one.
* Download the following tool: RootRepeal - Rootkit Detector (http://rootrepeal.googlepages.com/)
* Direct download link is here: RootRepeal.zip (http://rootrepeal.googlepages.com/RootRepeal.zip)

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.