Help please... Win32.tdss & more + no internet connection [Archive]

View Full Version : Help please... Win32.tdss & more + no internet connection

steds

2009-09-18, 19:21

Hi there
Started having problems more than a week ago.
Spybot S&D detected Win32.TDSS.ntf, Trojans removed them, but they keep cominig back. There're there every time I run S&D.
Also MBAM detected a Trojan downloader and Spyware Ambler (?) and seemed to remove them.

I started having problems with my connection. FF and IE didn't work and couldn't download updates for any of my antivirus/antispyware.
I turned the router off.

I then found System Restore had been turned off and there were no restore points.

Also other things affected like Nero backup not working properly.
(Most stuff backedup except recent stuff)

I changed passwords on another pc and backed up what i could. Preparing for the worst, but if anyone can help I would greatly appreciate it.

I ran HJT. Here's the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:47:53, on 18/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" "C:\Documents and Settings\Stephen\Local Settings\Application Data\Identities\{B9BC5F44-DBAE-48EF-AF57-1DA90594DE66}\Microsoft\Outlook Express\Sent Items.dbx"
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3942] command.com /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7064] cmd.exe /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6506] command.com /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1249] cmd.exe /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5702] command.com /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2438] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA297] command.com /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3368] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA70] command.com /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2001] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4756] command.com /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6461] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5160] command.com /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2933] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1577] command.com /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4157] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8620] command.com /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5273] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7724] command.com /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4968] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5429] command.com /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9892] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2515] command.com /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7237] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1440] command.com /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9035] cmd.exe /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB246] command.com /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1926] cmd.exe /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7616] command.com /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8290] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB833] command.com /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8736] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB817] command.com /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5983] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6380] command.com /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3161] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8692] command.com /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1987] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8199] command.com /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5275] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6815] command.com /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7941] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB737] command.com /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6724] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7230] command.com /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD997] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9888] command.com /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2043] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9654] command.com /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1654] cmd.exe /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3698] command.com /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD260] cmd.exe /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9885] command.com /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4373] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1555] command.com /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD401] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7840] command.com /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7203] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6810] command.com /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2975] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4270] command.com /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4230] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9180] command.com /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8031] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5603] command.com /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4366] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1055] command.com /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7664] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4154] command.com /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3185] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1516] command.com /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3637] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2018] command.com /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD107] cmd.exe /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5301] command.com /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8430] cmd.exe /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB730] command.com /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2130] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6799] command.com /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7019] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4778] command.com /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD58] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2011] command.com /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6727] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1976] command.com /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2475] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1887] command.com /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5536] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3332] command.com /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2435] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4084] command.com /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1577] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9874] command.com /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3148] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8023] command.com /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7992] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7145] command.com /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1756] cmd.exe /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9412] command.com /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7490] cmd.exe /c del "C:\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2793] command.com /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1236] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1162] command.com /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1858] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmjefbobow.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9427] command.com /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD677] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7153] command.com /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3864] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtkaybajt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB927] command.com /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8363] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7928] command.com /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1330] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmtvefyrcw.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2375] command.com /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7436] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9204] command.com /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8685] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmmkjsakcn.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2210] command.com /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7601] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1298] command.com /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4483] cmd.exe /c del "C:\WINDOWS\system32\kbiwkmvxoyibqt.dat"
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 19349 bytes

ken545

2009-09-21, 11:47

Hello steds

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Reboot your computer and run combofix, your infected with a rootkit , this rootkit will try and prevent combofix from running so make sure you follow the instructions to rename it.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

steds

2009-09-22, 12:29

Hello ken
Thanks very much for the help.
I ran Combofix ok although it couldn't load Recovery Console because it couldn't get a connection at the time.
But things already look much better, connection restored, browsers and security updates working. I had to re-input the DNS addresses to finally get connected, after a re-boot.
Haven't run any antiVirus/anti Spyware scans yet as I thought I'd ask you what to do next.
Thanks again for the help.
Here are the Combofix and HJT logs.

ComboFix 09-09-20.04 - Stephen 22/09/2009 2:42.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.595 [GMT 1:00]
Running from: c:\documents and settings\Stephen\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Stephen\My Documents\mc-installer-0.6.exe
c:\windows\Installer\3a96e4.msi
c:\windows\Installer\c9f010.msp
c:\windows\Installer\c9f011.msp
c:\windows\Installer\c9f012.msp
c:\windows\Installer\c9f013.msp
c:\windows\Installer\c9f014.msp
c:\windows\Installer\c9f015.msp
c:\windows\Installer\c9f016.msp
c:\windows\Installer\c9f017.msp
c:\windows\Installer\c9f018.msp
c:\windows\Installer\d30397.msp
c:\windows\Installer\d30398.msp
c:\windows\Installer\d30399.msp
c:\windows\Installer\d3039a.msp
c:\windows\Installer\d3039b.msp
c:\windows\Installer\d3039c.msp
c:\windows\Installer\d3039d.msp
c:\windows\Installer\d3039e.msp
c:\windows\Installer\d3039f.msp
c:\windows\Installer\d303a0.msp
c:\windows\run.log
c:\windows\system32\.log
c:\windows\system32\download
c:\windows\system32\download\ispinfo.csv
c:\windows\system32\drivers\kbiwkmbaqjgepp.sys
c:\windows\system32\drivers\Sonyhcp.dll
c:\windows\system32\kbiwkmjefbobow.dll
c:\windows\system32\kbiwkmmkjsakcn.dat
c:\windows\system32\kbiwkmtkaybajt.dll
c:\windows\system32\kbiwkmtvefyrcw.dll
c:\windows\system32\kbiwkmvxoyibqt.dat
c:\windows\system32\drivers\etc\lmhosts . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmgjlkxjyn
-------\Legacy_kbiwkmgjlkxjyn

((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.

2009-09-19 19:12 . 2009-09-19 19:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-09-15 20:12 . 2009-09-15 20:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-09-15 20:12 . 2009-09-15 20:12 27400 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-15 20:12 . 2009-09-15 20:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-09-15 01:41 . 2009-09-15 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2009-09-15 00:45 . 2009-09-15 00:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-09-14 23:57 . 2009-09-14 23:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-12 00:10 . 2009-09-12 00:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-12 00:10 . 2009-09-12 00:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-10 23:50 . 2009-09-10 23:50 -------- d-----w- c:\documents and settings\Stephen\Application Data\Malwarebytes
2009-09-10 23:50 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 23:50 . 2009-09-10 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-10 23:50 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 23:50 . 2009-09-10 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 21:00 . 2009-09-10 21:00 -------- d-----w- c:\program files\Trend Micro
2009-09-10 20:59 . 2009-09-10 21:32 -------- d-----w- c:\program files\ERUNT
2009-09-10 02:08 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 20:08 . 2009-09-07 20:08 44544 ----a-w- c:\windows\system32\lpocg.dll
2009-09-05 19:01 . 2005-05-26 14:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-09-05 15:43 . 2009-09-05 16:21 -------- d-----w- c:\program files\Virtual Skipper 4 Demo
2009-08-29 14:08 . 2009-08-29 14:08 -------- d-----w- C:\spoolerlogs
2009-08-29 14:07 . 2009-08-29 14:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-29 13:56 . 2009-08-29 13:56 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-19 19:20 . 2008-01-14 21:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-18 19:23 . 2008-08-11 11:32 7480 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-11 18:07 . 2007-03-30 20:44 -------- d-----w- c:\documents and settings\Stephen\Application Data\uTorrent
2009-09-11 18:05 . 2007-03-31 13:29 -------- d-----w- c:\program files\LimeWire
2009-09-08 05:49 . 2008-08-19 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-29 07:25 . 2007-02-12 14:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-22 10:03 . 2009-08-22 10:03 -------- d-----w- c:\documents and settings\Stephen\Application Data\TVU networks
2009-08-18 10:59 . 2008-08-19 12:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-18 10:59 . 2008-08-19 12:20 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-18 10:59 . 2008-08-19 12:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 20:16 . 2009-08-16 20:16 -------- d-----w- c:\program files\BBC iPlayer Desktop
2009-08-16 00:08 . 2007-01-21 21:01 27400 ----a-w- c:\documents and settings\Stephen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 15:32 . 2009-08-15 15:30 -------- d-----w- c:\program files\iTunes
2009-08-15 15:32 . 2009-08-15 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-15 15:32 . 2009-08-15 15:32 -------- d-----w- c:\program files\iPod
2009-08-15 15:31 . 2007-12-04 02:19 -------- d-----w- c:\program files\Common Files\Apple
2009-08-15 15:26 . 2009-08-15 15:25 -------- d-----w- c:\program files\QuickTime
2009-08-15 15:13 . 2009-08-15 15:13 -------- d-----w- c:\program files\Bonjour
2009-08-15 11:19 . 2007-02-09 22:01 -------- d-----w- c:\documents and settings\Stephen\Application Data\OpenOffice.org2
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:42 . 2009-05-16 20:17 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-04 04:59 . 2009-08-03 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-04 04:59 . 2009-08-03 13:31 -------- d-----w- c:\program files\NOS
2009-07-31 01:56 . 2009-07-31 01:56 -------- d-----w- c:\program files\MSXML 4.0
2009-07-30 17:10 . 2009-07-01 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-30 00:23 . 2009-07-30 00:23 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01007.Wdf
2009-07-30 00:23 . 2009-07-30 00:23 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-07-30 00:17 . 2009-07-30 00:17 -------- d-----w- c:\program files\Motorola
2009-07-30 00:17 . 2009-07-30 00:17 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2006-02-28 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2006-02-28 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2006-02-28 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2006-02-28 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2006-02-28 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2006-02-28 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2009-08-25 00:14 2215960 ----a-w- c:\program files\Freecorder\tbFre1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2009-08-25 2215960]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre1.dll" [2009-08-25 2215960]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-18 2007832]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Stephen\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 10:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check(2).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check(2).lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check(2).lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Stephen^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Stephen\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Stephen^Start Menu^Programs^Startup^Registration IL-2 Sturmovik 1946.LNK]
path=c:\documents and settings\Stephen\Start Menu\Programs\Startup\Registration IL-2 Sturmovik 1946.LNK
backup=c:\windows\pss\Registration IL-2 Sturmovik 1946.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [19/08/2008 13:20 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [19/08/2008 13:20 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [01/07/2009 20:15 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [01/07/2009 20:15 297752]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [30/07/2009 01:17 91392]
R3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [16/02/2007 03:03 46080]
S2 wothpaalztmx;wothpaalztmx;\??\c:\windows\system32\drivers\qdotu.sys --> c:\windows\system32\drivers\qdotu.sys [?]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\ATICDSDr.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\ATICDSDr.sys [?]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [22/02/2007 15:11 30984]
S3 MemStPCI;Sony Memory Stick controller (PCI);c:\windows\system32\drivers\memstpci.sys [03/02/2007 21:21 26112]
S3 SaiH053C;SaiH053C;c:\windows\system32\drivers\SaiH053C.sys [03/11/2005 11:52 176640]
S3 SaiHFFB5;SaiHFFB5;c:\windows\system32\drivers\SaiHFFB5.sys [22/02/2007 15:41 176640]
S3 SaiIFFB5;Immersion's HID USB Driver (FFB5);c:\windows\system32\drivers\SaiIFFB5.sys [14/12/2005 13:10 16768]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [13/03/2008 21:09 356920]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.madasafish.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Stephen\Application Data\Mozilla\Firefox\Profiles\n3pyybdn.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/index_narrow.html
FF - component: c:\documents and settings\Stephen\Application Data\Mozilla\Firefox\Profiles\n3pyybdn.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Stephen\Application Data\Mozilla\Firefox\Profiles\n3pyybdn.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-*{1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
Notify-WgaLogon - (no file)
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-Victor Chandler - c:\poker\Victor Chandler\_SetupPoker.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 02:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-842925246-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ab,38,35,51,ff,6b,49,fa,eb,b8,d5,51,74,8d,52,7f,b6,c7,34,38,2f,d2,19,
e4,d2,ee,19,4c,1c,f2,a8,dd,6a,91,5d,d1,97,65,5c,ba,ed,48,94,94,09,93,b7,16,\
"??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(208)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
.
**************************************************************************
.
Completion time: 2009-09-22 3:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-22 02:04

Pre-Run: 45,822,697,472 bytes free
Post-Run: 48,843,063,296 bytes free

298 --- E O F --- 2009-09-02 01:56

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:14:09, on 22/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.madasafish.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6979 bytes

ken545

2009-09-22, 13:23

Good Morning,

Looks like the Rootkit is gone, your Combofix log will take me some time to go over , in the meantime do this please.

Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please

steds

2009-09-22, 21:59

Hi
Thanks for getting back to me.
I ran TFC then rebooted.
The same with MBAM. It found one thing which ithink was removed after the reboot.

Here are the MBAM and HJT logs.

Malwarebytes' Anti-Malware 1.41
Database version: 2843
Windows 5.1.2600 Service Pack 3

22/09/2009 19:31:28
mbam-log-2009-09-22 (19-31-21).txt

Scan type: Quick Scan
Objects scanned: 95811
Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lpocg.dll (Password.Stealer) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:40:56, on 22/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.madasafish.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3230559E-5116-488C-B617-FE344FE8CE9D}: NameServer = 80.189.92.2,80.189.94.2
O17 - HKLM\System\CS3\Services\Tcpip\..\{3230559E-5116-488C-B617-FE344FE8CE9D}: NameServer = 80.189.92.2,80.189.94.2
O17 - HKLM\System\CS4\Services\Tcpip\..\{3230559E-5116-488C-B617-FE344FE8CE9D}: NameServer = 80.189.92.2,80.189.94.2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7617 bytes

ken545

2009-09-23, 00:56

Hi,

You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

C:\WINDOWS\system32\lpocg.dll <--Make sure this is gone, if not delete it

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

c:\windows\system32\drivers\qdotu.sys

How are things running now ?

steds

2009-09-23, 04:23

hello

Well I changed File & Folder options to show all, and I couldn't find :

C:\WINDOWS\system32\lpocg.dll.

It looks like it's gone.

Then I tried to find : c:\windows\system32\drivers\qdotu.sys

but I couldn't find that either. I tried browse on Virus Total and tried Windows Explorer but couldn't find it. Is this serious?

Things seem to be running fine as far as I can tell. I haven't found any problems.

Thanks again

PS Should I still have TeaTimer and AVG turned off ?

ken545

2009-09-23, 11:46

Good Morning,

Leave them both turned off for a bit , I would like you to run this free online virus scanner to make sure we got it all.

Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

steds

2009-09-23, 22:53

Hi
I ran ESET ok. It found some things, now quarantined and deleted.

Here's the logfile :

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=b041876108e4c345ad0a44e424bba895
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-23 07:46:01
# local_time=2009-09-23 08:46:01 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 37 83 100 31419743906250
# scanned=162358
# found=6
# cleaned=6
# scan_time=4738
C:\Documents and Settings\Stephen\My Documents\My Recordings\Shared Music\rolling stones hyde park 192kb.mp3 a variant of

WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Stephen\My Documents\My Recordings\Shared Music\searcher _the who_ (new album).mp3 a variant of

WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting -

quarantined) 00000000000000000000000000000000 C
C:\Program Files\ZoneAlarmSB\bar\2.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting -

quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmtvefyrcw.dll.vir Win32/Olmarik.MF trojan (cleaned by deleting - quarantined)

00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kbiwkmbaqjgepp.sys.vir a variant of Win32/Olmarik.LR trojan (cleaned by

deleting - quarantined) 00000000000000000000000000000000 C

ken545

2009-09-24, 00:03

Great, a couple of those files where back ups of what Combofix removed. yes you can re enable AVG and the TeaTimer. How are things running now ?

steds

2009-09-24, 00:16

Hi
Yes, everything seems to be back to normal as far as I can tell. Is there anything else you'd recommend?

BTW Thanks very much for the help, it's much appreciated.

ken545

2009-09-24, 00:27

Great, glad things are well :bigthumb:

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

steds

2009-09-24, 01:23

Great.
Thanks very much for all the advice.

Steve

ken545

2009-09-24, 01:49

Your very welcome Steve,

Take care,

Ken :)

ken545

2009-09-28, 14:22

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.