PDA

View Full Version : Computer badly infested - not even connecting to the internet anymore



joy12
2009-02-12, 16:43
Hi,

I hope someone can help me with this...pleaseeee...

My netbook has been infected majorly by I dont know what all and how many viruses, malware trojans etc!! Basically I am totally lost...

I have so many viruses thats its not even funny anymore...it is so serious that I cannot even connect to the internet now damn it...

I use windows xp home version...

I have avg antivirus nd superantivirus free edition on my computer...even tried eset anti virus

please don't ask me to download anything as my internet apparently is not working so its impossible for me to download anything...

just now i ran a scan and discovered i had rootkit.seneka-trace

earlier i was facing problems with firefox as anything i searched on google was getting redirected to something else... i unistalled my firefox...and started working on chrome which is now facing problems as in without the connection its trying to get on to onlinenotify.net...


also i have been getting messages of shutdown from nt authority...my task manager got disabled...but i enabled it now...also my ipod wont work on my computer now as my mobile device has stopped working...its as if hell has broken on my head...god damn it...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:56:29, on 11/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Wireless Select Switch\WLSS.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Eset\nod32.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=5090109
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-...tml?channel=uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-...tml?channel=uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=5090109
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/de......;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/de......;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-...tml?channel=uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=5090109
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=e...mp;ibd=5090109
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe
O4 - HKLM\..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing
O18 - Protocol: linkscanner - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 8912 bytes


Please look at this log file and please guide me



Thanks in advance

Blade81
2009-02-15, 16:31
Hi

Uninstall either AVG or NOD32 since it's not recommended to have multiple antivirus (or firewall) programs running at the same time.

Then you need to follow next instructions. If you can't access internet with infected system then please use the one you have access working to download ComboFix and then transfer it to infected system.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

joy12
2009-02-17, 20:19
Thanks so much!!

I ran the combofix it says I have rootkit activity in my computer

here are the rootkits

c:\windows\system32\drivers\senekaobxmimov.sys
c:\windows\system32\senekaxnsvxbnr.dll
c:\windows\system32\senekatqeutofy.dat
c:\windows\system32\senekabxlhxtuc.dll
c:\windows\system32\senekaanmivpfa.dll
c:\windows\system32\senekabqevddve.dat

Blade81
2009-02-17, 20:33
Hi,

Please, let ComboFix finish it work and post the logs when ready :)

joy12
2009-02-18, 05:38
Combofix didnt fix my computer...
Oh my god...I can just see my wallpaper on my computer now...I can't see anything else...!!! after running combofix! Please tell me what has gone so wrong!!!...

Thanks in advance!

Blade81
2009-02-18, 11:49
Hi,

Please calm down. Could you tell me what did you do there? Did you/ComboFix reboot the system yet?

joy12
2009-02-18, 17:17
Hi Blade...

Thanks a lot...

I opened my task manager and ran a new task explorer and everything came back :P

Here is my combofix log...please let me know if everything is fine or not...Cheers again thanks for helping me out!

ComboFix 09-02-15.01 - Dev Nijhara 2009-02-17 18:17:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.702 [GMT 0:00]
Running from: c:\documents and settings\Dev Nijhara\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\DEVNIJ~1\LOCALS~1\Temp\mousehook.dll
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\system32\ahtn.htm
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaobxmimov.sys
c:\windows\system32\init32.exe
c:\windows\system32\ntdll64.exe
c:\windows\system32\senekaanmivpfa.dll
c:\windows\system32\senekabqevddve.dat
c:\windows\system32\senekabxlhxduc.dll
c:\windows\system32\senekatqeutofy.dat
c:\windows\system32\senekaxnsvxbnr.dll
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winlogon2.exe
c:\windows\system32\x64
c:\windows\Tasks\dssworde.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-13 12:20 . 2009-02-14 13:11 664 --a------ c:\windows\system32\d3d9caps.dat
2009-02-11 13:18 . 2009-02-16 18:51 <DIR> d-------- c:\program files\ESET
2009-02-11 00:57 . 2009-02-11 00:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-02-10 16:52 . 2009-02-10 16:52 <DIR> d---s---- c:\windows\system32\config\systemprofile\UserData
2009-02-10 16:52 . 2009-02-10 16:52 104,960 --a--c--- c:\windows\system32\dllcache\userinit.exe
2009-02-08 23:11 . 2009-02-08 23:12 <DIR> d-------- c:\program files\Trend Micro(TM) Internet Security
2009-02-08 22:58 . 2009-02-08 23:32 <DIR> d-------- c:\program files\Trend Micro
2009-02-08 22:15 . 2009-02-08 22:15 <DIR> d-------- C:\Sandbox
2009-02-08 22:15 . 2009-02-08 22:15 <DIR> d-------- c:\program files\Sandboxie
2009-02-08 22:15 . 2009-02-10 01:06 1,370 --a------ c:\windows\Sandboxie.ini
2009-02-08 22:05 . 2009-02-08 22:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-08 22:04 . 2009-02-08 22:04 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-08 22:04 . 2009-02-08 22:04 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\SUPERAntiSpyware.com
2009-02-08 22:03 . 2009-02-08 22:03 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-08 14:39 . 2009-02-10 23:09 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-08 14:34 . 2009-02-08 14:34 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-08 14:34 . 2009-02-08 14:34 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-08 14:34 . 2009-02-08 14:34 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-08 14:33 . 2009-02-10 10:32 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-08 14:33 . 2009-02-10 01:55 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\AVGTOOLBAR
2009-02-08 14:32 . 2009-02-08 14:32 <DIR> d-------- c:\program files\AVG
2009-02-08 14:32 . 2009-02-08 16:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-08 03:07 . 2009-02-08 03:07 <DIR> d-------- c:\windows\system32\wp2
2009-02-08 03:07 . 2009-02-08 03:07 <DIR> d-------- c:\temp\sTMP3
2009-02-08 03:07 . 2009-02-17 18:17 <DIR> d-------- C:\Temp
2009-02-08 02:37 . 2009-02-08 02:37 <DIR> d-------- c:\windows\Sun
2009-02-04 23:13 . 2009-02-04 23:13 518,260 --a------ c:\windows\system32\PerfStringBackup.TMP_001
2009-02-04 22:18 . 2009-01-09 07:55 <DIR> d-------- c:\documents and settings\Administrator\Bluetooth Software
2009-02-04 22:18 . 2009-01-09 08:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-02-04 22:18 . 2009-02-11 01:06 <DIR> d-------- c:\documents and settings\Administrator
2009-02-04 11:20 . 2009-02-04 11:20 <DIR> d-------- c:\program files\Kaspersky Lab
2009-02-04 11:10 . 2009-02-04 11:10 <DIR> d-------- C:\KAV
2009-02-03 15:21 . 2009-02-03 15:21 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\Malwarebytes
2009-02-03 15:21 . 2009-02-03 15:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-31 22:34 . 2009-01-31 22:34 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\DivX
2009-01-28 13:54 . 2009-02-07 01:23 <DIR> d-------- c:\program files\PFG FX Trader
2009-01-28 03:10 . 2009-01-28 03:13 <DIR> d-------- c:\program files\DivX
2009-01-26 17:55 . 2009-01-26 17:55 <DIR> d-------- c:\program files\IrfanView
2009-01-26 13:24 . 2009-02-07 01:23 <DIR> d-------- c:\program files\Common Files\Real
2009-01-22 12:17 . 2009-01-22 12:17 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\Template
2009-01-22 12:16 . 2009-01-22 12:16 0 --a------ c:\documents and settings\Dev Nijhara\Application Data\wklnhst.dat
2009-01-22 00:16 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-22 00:15 . 2008-04-11 19:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-01-22 00:12 . 2009-02-11 00:14 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\Apple Computer
2009-01-22 00:12 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-22 00:12 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-22 00:10 . 2008-06-13 11:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-01-22 00:10 . 2008-06-13 11:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-01-22 00:09 . 2009-01-22 00:12 <DIR> d-------- c:\program files\iTunes
2009-01-22 00:09 . 2009-01-22 00:09 <DIR> d-------- c:\program files\iPod
2009-01-22 00:09 . 2009-01-22 00:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-22 00:09 . 2008-10-16 01:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll
2009-01-22 00:09 . 2008-10-16 01:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll
2009-01-22 00:08 . 2009-01-22 00:08 <DIR> d-------- c:\program files\Bonjour
2009-01-22 00:08 . 2008-10-16 01:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2009-01-22 00:05 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-22 00:05 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-22 00:05 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-22 00:05 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-22 00:05 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-01-22 00:04 . 2008-12-12 17:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-01-22 00:03 . 2009-01-22 00:07 <DIR> d-------- c:\program files\QuickTime
2009-01-22 00:03 . 2009-01-22 00:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-22 00:02 . 2009-01-22 00:02 <DIR> d-------- c:\program files\Apple Software Update
2009-01-22 00:01 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-01-22 00:00 . 2009-01-22 00:00 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-22 00:00 . 2009-01-22 00:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-21 23:56 . 2008-05-08 14:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-01-21 23:50 . 2008-12-11 10:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-01-21 23:36 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-01-21 23:36 . 2008-10-03 10:02 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2009-01-21 23:31 . 2008-05-09 10:53 512,000 -----c--- c:\windows\system32\dllcache\jscript.dll
2009-01-21 23:31 . 2008-05-09 10:53 430,080 -----c--- c:\windows\system32\dllcache\vbscript.dll
2009-01-21 23:31 . 2008-05-01 14:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-01-21 23:31 . 2008-05-09 10:53 180,224 -----c--- c:\windows\system32\dllcache\scrobj.dll
2009-01-21 23:31 . 2008-05-09 10:53 172,032 -----c--- c:\windows\system32\dllcache\scrrun.dll
2009-01-21 23:31 . 2008-05-08 11:24 155,648 -----c--- c:\windows\system32\dllcache\wscript.exe
2009-01-21 23:31 . 2008-05-09 08:45 135,168 -----c--- c:\windows\system32\dllcache\cscript.exe
2009-01-21 23:31 . 2008-05-09 10:53 90,112 -----c--- c:\windows\system32\dllcache\wshext.dll
2009-01-21 14:36 . 2008-09-10 01:14 1,307,648 -----c--- c:\windows\system32\dllcache\msxml6.dll
2009-01-21 14:12 . 2009-01-21 14:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Dell
2009-01-21 14:06 . 2009-01-21 14:06 376 --a------ c:\windows\ODBC.INI
2009-01-21 14:05 . 2004-03-22 15:17 24,816 --a------ c:\windows\system32\mdimon.dll
2009-01-21 14:02 . 2009-01-21 14:02 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-01-21 14:00 . 2009-01-21 14:00 <DIR> d-------- c:\windows\SHELLNEW
2009-01-21 14:00 . 2009-01-21 14:00 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-21 13:45 . 2009-01-21 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Creative
2009-01-21 13:44 . 2009-01-21 13:44 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\Creative
2009-01-21 12:59 . 2009-01-21 12:59 0 --a------ c:\windows\nsreg.dat
2009-01-21 12:32 . 2008-04-14 12:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-21 12:31 . 2009-01-09 07:55 <DIR> d-------- c:\documents and settings\Dev Nijhara\Bluetooth Software
2009-01-21 12:31 . 2009-01-09 08:16 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\InstallShield
2009-01-21 12:31 . 2009-02-03 15:25 <DIR> d-------- c:\documents and settings\Dev Nijhara
2009-01-21 12:30 . 2009-01-09 07:55 <DIR> d-------- c:\windows\system32\config\systemprofile\Bluetooth Software
2009-01-21 12:29 . 2009-01-09 07:55 <DIR> d-------- c:\documents and settings\Default User\Bluetooth Software
2009-01-21 12:25 . 2009-01-21 12:25 8,192 --a------ c:\windows\REGLOCS.OLD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 16:52 104,960 ----a-w c:\windows\system32\userinit.exe
2009-02-08 23:19 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-07 04:59 --------- d-----w c:\program files\Google
2009-02-01 01:48 --------- d-----w c:\program files\Dell Video Chat
2009-01-09 13:37 --------- d-----w c:\program files\Synaptics
2009-01-09 09:24 3,484 ----a-w c:\windows\system32\drivers\1028_Dell_INS_910.mrk
2009-01-09 08:23 --------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft
2009-01-09 08:23 --------- d-----w c:\documents and settings\All Users\Application Data\PCDr
2009-01-09 08:23 --------- d-----w c:\documents and settings\All Users\Application Data\PC-Doctor
2009-01-09 08:21 --------- d-----w c:\program files\Dell Support Center
2009-01-09 08:20 --------- d-----w c:\program files\Common Files\supportsoft
2009-01-09 08:20 --------- d-----w c:\program files\Citrix
2009-01-09 08:20 --------- d-----w c:\program files\box.net
2009-01-09 08:17 --------- d-----w c:\program files\Creative
2009-01-09 08:16 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-09 08:16 --------- d-----w c:\program files\Dell Webcam
2009-01-09 08:16 --------- d-----w c:\program files\Common Files\Reallusion
2009-01-09 08:13 --------- d-----w c:\program files\Creative Live! Cam
2009-01-09 08:13 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-09 08:11 --------- d-----w c:\program files\Microsoft Works
2009-01-09 08:01 --------- d-----w c:\program files\Dell
2009-01-09 08:00 --------- d-----w c:\program files\Common Files\Adobe
2009-01-09 07:59 --------- d-----w c:\program files\Wireless Select Switch
2009-01-09 07:57 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-09 07:56 --------- d-----w c:\program files\Battery Meter
2009-01-09 07:56 --------- d-----w c:\documents and settings\All Users\Application Data\XP32
2009-01-09 07:56 --------- d-----w c:\documents and settings\All Users\Application Data\Vista64
2009-01-09 07:56 --------- d-----w c:\documents and settings\All Users\Application Data\Vista32
2009-01-09 07:53 --------- d-----w c:\program files\WIDCOMM
2009-01-09 07:53 --------- d-----w c:\program files\Java
2009-01-09 07:51 --------- d-----w c:\program files\Common Files\Java
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
.

------- Sigcheck -------

2008-04-14 12:00 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe

2008-04-14 12:00 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll

2008-04-14 12:00 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll

2008-08-20 04:58 666624 94418f53d2612c26dbadc04dafbc197c c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
2008-10-16 01:04 667136 e8fce58a470999350f64c591557f9e42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
2008-10-16 01:00 666112 1576318bf08d28cc61d1278114ad8d5b c:\windows\system32\wininet.dll
2008-10-16 01:00 666112 1576318bf08d28cc61d1278114ad8d5b c:\windows\system32\dllcache\wininet.dll

2008-06-20 11:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys

2008-04-14 12:00 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe

2008-04-14 12:00 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2008-04-14 12:00 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys

2008-08-14 15:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2008-08-14 09:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-08-14 09:33 2023936 8206b5f94a6a9450e934029420c1693f c:\windows\system32\ntkrnlpa.exe
2008-08-14 09:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\system32\dllcache\ntkrnlpa.exe

2008-08-14 16:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2008-08-14 10:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-08-14 10:09 2145280 f6f8245b3a2e9ca834dd318e7ae0c6d0 c:\windows\system32\ntoskrnl.exe
2008-08-14 10:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\system32\dllcache\ntoskrnl.exe

2008-04-14 12:00 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe

2008-04-14 12:00 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe

2008-04-14 12:00 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe

2008-04-14 12:00 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe

2008-04-14 12:00 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe

2009-02-10 16:52 104960 58bb7133a2f943f69a5bd91331dbec7b c:\windows\system32\userinit.exe
2009-02-10 16:52 104960 58bb7133a2f943f69a5bd91331dbec7b c:\windows\system32\dllcache\userinit.exe

2008-04-14 12:00 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll

2008-04-14 12:00 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\system32\kernel32.dll

2008-04-14 12:00 17408 50a166237a0fa771261275a405646cc0 c:\windows\system32\powrprof.dll

2008-04-14 12:00 110080 0da85218e92526972a821587e6a8bf8f c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-09 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-01-05 336896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-14 1343488]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]
"WLSS"="c:\program files\Wireless Select Switch\WLSS.exe" [2008-09-18 546088]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-08 1601304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-07-30 604776]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-09 08:19 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-08 14:34 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-01-09 14248]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-08 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-08 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-08 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-08 298264]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-01-09 93968]
R3 OA004Afx;Provides a software interface to control audio effects of OA004 camera.;c:\windows\system32\drivers\OA004Afx.sys [2009-01-09 148056]
R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [2009-01-09 144672]
R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [2009-01-09 269760]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2009-01-05 103936]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9169d30-f205-11dd-bee3-002269c8d52b}]
\Shell\AutoRun\command - D:\jiwsxh39.exe
\Shell\explore\Command - D:\jiwsxh39.exe
\Shell\open\Command - D:\jiwsxh39.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1415498907-2106810913-1699811203-1006.job
- c:\documents and settings\Dev Nijhara\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-23 18:33]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5090109
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5090109
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 18:19:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-02-17 18:21:34
ComboFix-quarantined-files.txt 2009-02-17 18:21:31

Pre-Run: 737,923,072 bytes free
Post-Run: 1,106,259,968 bytes free

305 --- E O F --- 2009-01-25 16:24:01

joy12
2009-02-18, 17:19
here is my hijack this log file...

Is my computer safe and secure?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:18:36, on 18/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Wireless Select Switch\WLSS.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Documents and Settings\Dev Nijhara\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dev Nijhara\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dev Nijhara\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dev Nijhara\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dev Nijhara\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5090109
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5090109
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5090109
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe
O4 - HKLM\..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 8661 bytes

joy12
2009-02-18, 19:16
Ran a quick scan on superantispyware...no detections
ran a complete scan on avg found trojan horse sheur2.pye... 3 infections...
why do i still have trojans??

joy12
2009-02-18, 19:36
Hi,

I restarted my computer again it came out as blank screen showing only my wallpaper then i had to open task manager and go through the same process of starting a new task explorer!...why isnt my explorer functioning properly?

Blade81
2009-02-18, 19:49
Hi,

Cleaning process is not finished yet. Please don't take any action (running scanners included) not mentioned in my instructions.



Start hjt, do a system scan, check (if found):
O18 - Protocol: linkscanner - (no CLSID) - (no file)

Close browsers and fix checked.


Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 12 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.



Open notepad and copy/paste the text in the quotebox below into it:



File::
D:\jiwsxh39.exe

Folder::
c:\windows\system32\wp2
c:\temp\sTMP3

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9169d30-f205-11dd-bee3-002269c8d52b}]



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

joy12
2009-02-19, 13:25
Thanks for everything Blade...appreciated...
here is my combofix log
ComboFix 09-02-15.01 - Dev Nijhara 2009-02-19 0:29:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.602 [GMT 0:00]
Running from: c:\documents and settings\Dev Nijhara\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dev Nijhara\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
D:\jiwsxh39.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\sTMP3
c:\temp\sTMP3\cxI.log
c:\windows\system32\wp2

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 )))))))))))))))))))))))))))))))
.

2009-02-18 23:38 . 2009-02-18 23:37 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-18 23:38 . 2009-02-18 23:37 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-18 23:34 . 2009-02-18 23:34 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-13 12:20 . 2009-02-14 13:11 664 --a------ c:\windows\system32\d3d9caps.dat
2009-02-11 13:18 . 2009-02-16 18:51 <DIR> d-------- c:\program files\ESET
2009-02-11 00:57 . 2009-02-11 00:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-02-10 16:52 . 2009-02-10 16:52 <DIR> d---s---- c:\windows\system32\config\systemprofile\UserData
2009-02-08 23:11 . 2009-02-08 23:12 <DIR> d-------- c:\program files\Trend Micro(TM) Internet Security
2009-02-08 22:58 . 2009-02-08 23:32 <DIR> d-------- c:\program files\Trend Micro
2009-02-08 22:15 . 2009-02-08 22:15 <DIR> d-------- C:\Sandbox
2009-02-08 22:15 . 2009-02-08 22:15 <DIR> d-------- c:\program files\Sandboxie
2009-02-08 22:15 . 2009-02-10 01:06 1,370 --a------ c:\windows\Sandboxie.ini
2009-02-08 22:05 . 2009-02-08 22:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-08 22:04 . 2009-02-08 22:04 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-08 22:04 . 2009-02-08 22:04 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\SUPERAntiSpyware.com
2009-02-08 22:03 . 2009-02-08 22:03 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-08 14:39 . 2009-02-19 00:01 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-08 14:34 . 2009-02-08 14:34 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-08 14:34 . 2009-02-08 14:34 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-08 14:34 . 2009-02-08 14:34 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-08 14:33 . 2009-02-18 15:11 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-08 14:33 . 2009-02-10 01:55 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\AVGTOOLBAR
2009-02-08 14:32 . 2009-02-08 14:32 <DIR> d-------- c:\program files\AVG
2009-02-08 14:32 . 2009-02-08 16:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-08 03:07 . 2009-02-19 00:29 <DIR> d-------- C:\Temp
2009-02-08 02:37 . 2009-02-08 02:37 <DIR> d-------- c:\windows\Sun
2009-02-04 23:13 . 2009-02-04 23:13 518,260 --a------ c:\windows\system32\PerfStringBackup.TMP_001
2009-02-04 22:18 . 2009-01-09 07:55 <DIR> d-------- c:\documents and settings\Administrator\Bluetooth Software
2009-02-04 22:18 . 2009-01-09 08:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-02-04 22:18 . 2009-02-11 01:06 <DIR> d-------- c:\documents and settings\Administrator
2009-02-04 11:20 . 2009-02-04 11:20 <DIR> d-------- c:\program files\Kaspersky Lab
2009-02-04 11:10 . 2009-02-04 11:10 <DIR> d-------- C:\KAV
2009-02-03 15:21 . 2009-02-03 15:21 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\Malwarebytes
2009-02-03 15:21 . 2009-02-03 15:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-31 22:34 . 2009-01-31 22:34 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\DivX
2009-01-28 13:54 . 2009-02-07 01:23 <DIR> d-------- c:\program files\PFG FX Trader
2009-01-28 03:10 . 2009-01-28 03:13 <DIR> d-------- c:\program files\DivX
2009-01-26 17:55 . 2009-01-26 17:55 <DIR> d-------- c:\program files\IrfanView
2009-01-26 13:24 . 2009-02-07 01:23 <DIR> d-------- c:\program files\Common Files\Real
2009-01-22 12:17 . 2009-01-22 12:17 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\Template
2009-01-22 12:16 . 2009-01-22 12:16 0 --a------ c:\documents and settings\Dev Nijhara\Application Data\wklnhst.dat
2009-01-22 00:16 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-22 00:15 . 2008-04-11 19:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-01-22 00:12 . 2009-02-11 00:14 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\Apple Computer
2009-01-22 00:12 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-22 00:12 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-22 00:10 . 2008-06-13 11:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-01-22 00:10 . 2008-06-13 11:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-01-22 00:09 . 2009-01-22 00:12 <DIR> d-------- c:\program files\iTunes
2009-01-22 00:09 . 2009-01-22 00:09 <DIR> d-------- c:\program files\iPod
2009-01-22 00:09 . 2009-01-22 00:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-22 00:09 . 2008-10-16 01:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll
2009-01-22 00:09 . 2008-10-16 01:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll
2009-01-22 00:08 . 2009-01-22 00:08 <DIR> d-------- c:\program files\Bonjour
2009-01-22 00:08 . 2008-10-16 01:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2009-01-22 00:05 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-22 00:05 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-22 00:05 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-22 00:05 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-22 00:05 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-01-22 00:04 . 2008-12-12 17:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-01-22 00:03 . 2009-01-22 00:07 <DIR> d-------- c:\program files\QuickTime
2009-01-22 00:03 . 2009-01-22 00:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-22 00:02 . 2009-01-22 00:02 <DIR> d-------- c:\program files\Apple Software Update
2009-01-22 00:01 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-01-22 00:00 . 2009-01-22 00:00 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-22 00:00 . 2009-01-22 00:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-21 23:56 . 2008-05-08 14:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-01-21 23:50 . 2008-12-11 10:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-01-21 23:36 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-01-21 23:36 . 2008-10-03 10:02 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2009-01-21 23:31 . 2008-05-09 10:53 512,000 -----c--- c:\windows\system32\dllcache\jscript.dll
2009-01-21 23:31 . 2008-05-09 10:53 430,080 -----c--- c:\windows\system32\dllcache\vbscript.dll
2009-01-21 23:31 . 2008-05-01 14:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-01-21 23:31 . 2008-05-09 10:53 180,224 -----c--- c:\windows\system32\dllcache\scrobj.dll
2009-01-21 23:31 . 2008-05-09 10:53 172,032 -----c--- c:\windows\system32\dllcache\scrrun.dll
2009-01-21 23:31 . 2008-05-08 11:24 155,648 -----c--- c:\windows\system32\dllcache\wscript.exe
2009-01-21 23:31 . 2008-05-09 08:45 135,168 -----c--- c:\windows\system32\dllcache\cscript.exe
2009-01-21 23:31 . 2008-05-09 10:53 90,112 -----c--- c:\windows\system32\dllcache\wshext.dll
2009-01-21 14:36 . 2008-09-10 01:14 1,307,648 -----c--- c:\windows\system32\dllcache\msxml6.dll
2009-01-21 14:12 . 2009-01-21 14:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Dell
2009-01-21 14:06 . 2009-01-21 14:06 376 --a------ c:\windows\ODBC.INI
2009-01-21 14:05 . 2004-03-22 15:17 24,816 --a------ c:\windows\system32\mdimon.dll
2009-01-21 14:02 . 2009-01-21 14:02 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-01-21 14:00 . 2009-01-21 14:00 <DIR> d-------- c:\windows\SHELLNEW
2009-01-21 14:00 . 2009-01-21 14:00 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-21 13:45 . 2009-01-21 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Creative
2009-01-21 13:44 . 2009-01-21 13:44 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\Creative
2009-01-21 12:59 . 2009-01-21 12:59 0 --a------ c:\windows\nsreg.dat
2009-01-21 12:32 . 2008-04-14 12:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-21 12:31 . 2009-01-09 07:55 <DIR> d-------- c:\documents and settings\Dev Nijhara\Bluetooth Software
2009-01-21 12:31 . 2009-01-09 08:16 <DIR> d-------- c:\documents and settings\Dev Nijhara\Application Data\InstallShield
2009-01-21 12:31 . 2009-02-03 15:25 <DIR> d-------- c:\documents and settings\Dev Nijhara
2009-01-21 12:30 . 2009-01-09 07:55 <DIR> d-------- c:\windows\system32\config\systemprofile\Bluetooth Software
2009-01-21 12:29 . 2009-01-09 07:55 <DIR> d-------- c:\documents and settings\Default User\Bluetooth Software
2009-01-21 12:25 . 2009-01-21 12:25 8,192 --a------ c:\windows\REGLOCS.OLD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-18 23:37 --------- d-----w c:\program files\Java
2009-02-18 23:32 --------- d-----w c:\program files\Common Files\Adobe
2009-02-10 16:52 104,960 ----a-w c:\windows\system32\userinit.exe
2009-02-08 23:19 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-07 04:59 --------- d-----w c:\program files\Google
2009-02-01 01:48 --------- d-----w c:\program files\Dell Video Chat
2009-01-09 13:37 --------- d-----w c:\program files\Synaptics
2009-01-09 09:24 3,484 ----a-w c:\windows\system32\drivers\1028_Dell_INS_910.mrk
2009-01-09 08:23 --------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft
2009-01-09 08:23 --------- d-----w c:\documents and settings\All Users\Application Data\PCDr
2009-01-09 08:23 --------- d-----w c:\documents and settings\All Users\Application Data\PC-Doctor
2009-01-09 08:21 --------- d-----w c:\program files\Dell Support Center
2009-01-09 08:20 --------- d-----w c:\program files\Common Files\supportsoft
2009-01-09 08:20 --------- d-----w c:\program files\Citrix
2009-01-09 08:20 --------- d-----w c:\program files\box.net
2009-01-09 08:17 --------- d-----w c:\program files\Creative
2009-01-09 08:16 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-09 08:16 --------- d-----w c:\program files\Dell Webcam
2009-01-09 08:16 --------- d-----w c:\program files\Common Files\Reallusion
2009-01-09 08:13 --------- d-----w c:\program files\Creative Live! Cam
2009-01-09 08:13 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-09 08:11 --------- d-----w c:\program files\Microsoft Works
2009-01-09 08:01 --------- d-----w c:\program files\Dell
2009-01-09 07:59 --------- d-----w c:\program files\Wireless Select Switch
2009-01-09 07:57 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-09 07:56 --------- d-----w c:\program files\Battery Meter
2009-01-09 07:56 --------- d-----w c:\documents and settings\All Users\Application Data\XP32
2009-01-09 07:56 --------- d-----w c:\documents and settings\All Users\Application Data\Vista64
2009-01-09 07:56 --------- d-----w c:\documents and settings\All Users\Application Data\Vista32
2009-01-09 07:53 --------- d-----w c:\program files\WIDCOMM
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
.

------- Sigcheck -------

2009-02-10 16:52 104960 58bb7133a2f943f69a5bd91331dbec7b c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-17_18.19.59.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 15:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2009-01-09 08:29:18 262,144 ---ha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2009-02-18 23:06:04 262,144 ---ha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2008-02-22 07:23:35 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-02-18 23:37:44 144,792 ----a-w c:\windows\system32\java.exe
- 2008-02-22 07:23:39 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-02-18 23:37:44 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-02-22 08:33:32 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-02-18 23:37:44 148,888 ----a-w c:\windows\system32\javaws.exe
- 2009-01-09 17:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-12 04:56:17 21,244,872 ----a-w c:\windows\system32\MRT.exe
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2009-02-18 23:38:50 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-09 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-01-05 336896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-14 1343488]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]
"WLSS"="c:\program files\Wireless Select Switch\WLSS.exe" [2008-09-18 546088]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-08 1601304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-18 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-07-30 604776]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-09 08:19 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-08 14:34 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-01-09 14248]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-08 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-08 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-08 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-08 298264]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-01-09 93968]
R3 OA004Afx;Provides a software interface to control audio effects of OA004 camera.;c:\windows\system32\drivers\OA004Afx.sys [2009-01-09 148056]
R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [2009-01-09 144672]
R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [2009-01-09 269760]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2009-01-05 103936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1415498907-2106810913-1699811203-1006.job
- c:\documents and settings\Dev Nijhara\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-23 18:33]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5090109
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5090109
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-19 00:32:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-02-19 0:35:47
ComboFix-quarantined-files.txt 2009-02-19 00:35:43
ComboFix2.txt 2009-02-17 18:21:36

Pre-Run: 926,597,120 bytes free
Post-Run: 958,205,952 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

287 --- E O F --- 2009-02-18 17:30:21


Fresh Hijack This log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:13, on 19/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Wireless Select Switch\WLSS.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dev Nijhara\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dev Nijhara\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5090109
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5090109
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5090109
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe
O4 - HKLM\..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 8803 bytes


I tried to delete o18 but i doesnt delete!

Kaspersky antivirus I am still running...

joy12
2009-02-19, 15:54
I ran Kaspersky and scanned the critical areas...it found nothing...so everything is cool?

Thanks a ton !;)

joy12
2009-02-19, 16:17
Hey,

I ran a quick scan with superantispyware and it found adware.tracking cookie

and activated my avg resident shield it says

Threat Detected!
file name C:\windows\system32\userinit.exe
threat name trojan horse sheur2.pye
detected on open


why does my computer still have trojans etc?

Blade81
2009-02-19, 17:27
Please don't take any action (running scanners included) not mentioned in my instructions.
Above mentioned order is still valid. If you want do your own things then go ahead but don't expect me to continue helping you then. Choice is yours :)


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
*

Upload following file to http://www.virustotal.com and post back the results:
c:\windows\system32\userinit.exe



FileFind
Download FileFind (http://www.atribune.org/downloads/FileFind.zip) by Atribune and unzip it to your Desktop.

Double click on FileFind.exe to open the programme.
Enter userinit.exe into the File: box.
Click on the Search button.
After a while a list of file locations will appear in the List of Files: box.
Click on the Export button.

This will create a Notepad file named Export.txt located in the C:\ folder, copy and paste it to your next post please.


Also, please run Kaspersky online scanner with 'my computer' selected as shown in the instruction animation which link I posted.

joy12
2009-02-19, 18:13
File userinit.exe received on 02.17.2009 15:13:36 (CET)
Antivirus Version Last Update Result
a-squared - - Virus.Win32.Downloader!IK
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - -
Avast - - Win32:Downloader-CDV
AVG - - SHeur2.PYE
CAT-QuickHeal - - Backdoor.Agent.adrt
ClamAV - - -
Comodo - - -
DrWeb - - Trojan.DownLoad.28002
eSafe - - Win32.TRCrypt.XPACK
eTrust-Vet - - Win32/FakeAlert.AAV
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - Trojan.Generic.1425562
Ikarus - - Virus.Win32.Downloader
K7AntiVirus - - Trojan.Win32.Malware.1
Kaspersky - - -
McAfee - - -
McAfee+Artemis - - -
Microsoft - - Trojan:Win32/Fakeinit
NOD32 - - Win32/FakeInit.C
Norman - - W32/Agent.LLHK
Panda - - Trj/Downloader.MDW
PCTools - - -
Prevx1 - - Malicious Software
Rising - - Trojan.Win32.Nodef.bpo
SecureWeb-Gateway - - Trojan.Crypt.XPACK.Gen
Sophos - - Troj/Agent-IWR
Sunbelt - - -
Symantec - - Suspicious.MH690.A
TheHacker - - Backdoor/Agent.adqt
TrendMicro - - -
VBA32 - - -
ViRobot - - Backdoor.Win32.Agent.104960.C
VirusBuster - - -
Additional information
MD5: 58bb7133a2f943f69a5bd91331dbec7b
SHA1: 2ff323d58bfaebdefb3d06d1a3c2e0c8cea637e6
SHA256: 2cf395857f0155bf95565f414bb63b57a344c8ae5cd4e387f90d925fdacc91bd
SHA512: d3555afb3f30e9a98e959c44776a54b59889a4cfed6e85b41d8ff73a27612bd6db2c1f65eb31198e924eebc96f45223c4b2f5fc95b95cdb0b441f765fa5d5d0c

joy12
2009-02-19, 18:16
Thank you so much again...btw I am supposed to do anything until you tell me so? That rules still apply right...

C:\WINDOWS\system32\userinit.exe - 104960 Bytes

Blade81
2009-02-19, 22:08
Hi,

You may run Kaspersky online scanner too as it was listed in my previous post :)

Do you have your operating system media around? We would need that to replace the infected file with a good one.

joy12
2009-02-19, 22:37
Do you have your operating system media around? We would need that to replace the infected file with a good one.

What do you mean by OS Media? I have itunes, windows media player, divx, quicktime...

Is that what you meant...I can uninstall them if you want me to

joy12
2009-02-20, 01:23
Hi,

Here is my kaspersky report...I still have infections !!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, February 19, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, February 19, 2009 20:17:31
Records in database: 1817502
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Files scanned: 35173
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:40:12


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\DOCUME~1\DEVNIJ~1\LOCALS~1\Temp\mousehook.dll.vir Infected: Backdoor.Win32.Agent.adqt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\seneka.sys.vir Infected: Rootkit.Win32.TDSS.phm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekaobxmimov.sys.vir Infected: Rootkit.Win32.TDSS.phm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekaanmivpfa.dll.vir Infected: Rootkit.Win32.Agent.hcq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekabxlhxduc.dll.vir Infected: Rootkit.Win32.Agent.hcr 1

The selected area was scanned.

Blade81
2009-02-20, 07:15
Hi again,

With operating system media I mean Windows XP installation cd.

Those Kaspersky findings are quarantined ones and we'll clean them after bad userinit.exe is replaced with a good one first (assuming that you have the installation cd) :)

joy12
2009-02-20, 12:57
Yes, I have the CDs...but don't have a disc drive in my computer! :(...

also I just noticed that my firefox has been hijacked...as whenever I search something...it takes me somewhere else..

Blade81
2009-02-20, 20:51
Hi,

Do you have another system available that has cd drive? Any chance you could use usb memory for example to transfer files from there to this system we're cleaning?

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post DDS.txt contents back to your topic.

Blade81
2009-02-25, 17:50
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.