So here it is - I started trying to fix this prob when XP Firewall stopped running because "Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service."

Tried installing spybot and a2AntiMalware, but can't connect to their servers for updates etc

That's what led me here. I should mention that this laptop I'm on has had issues for quite a while, where it just freezes up and nothing can be done except pull the plug and reboot. I've just got a new laptop so I'm trying to fix this one.

Sorry If I've misunderstood your requirements from me, or if I'm not following the correct procedures, but there is my DDS report:-

:thanks:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 17:08:53.62 on 03/10/2010
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1919.1129 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Emsisoft Anti-Malware *On-access scanning enabled* (Outdated) {0F8591BB-342B-4493-91C3-4E948ED21255}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Marcus Whitehead\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Marcus Whitehead\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Marcus Whitehead\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Marcus Whitehead\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marcus Whitehead\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marcus Whitehead\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marcus Whitehead\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marcus Whitehead\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marcus Whitehead\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Marcus Whitehead\My Documents\Downloads\spybotsd162.exe
C:\DOCUME~1\MARCUS~1\LOCALS~1\Temp\is-VBU7R.tmp\spybotsd162.tmp
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2guard.exe
C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2start.exe
C:\Documents and Settings\Marcus Whitehead\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.pcservicecall.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\userinit32.exe,c:\windows\system32\sdra64.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: MS extension: {1925c7e1-5540-4675-8198-8a2779d4072a} - msfgw32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus SX600FW(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatieke.exe /fu "c:\windows\temp\E_SA0.tmp" /EF "HKCU"
uRun: [Google Update] "c:\documents and settings\marcus whitehead\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [CardReaderReset] c:\program files\realtek semiconductor corp\card reader software\Reset.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [a-squared] "c:\program files\emsisoft anti-malware\a2guard.exe" /d=60
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microsoft office.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\rt2500 wireless lan card\installer\winxp\RaConfig2500.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 93.188.162.84,93.188.161.224
TCP: {649D147E-FAC9-4814-9D7E-916C55D5F57F} = 192.168.1.1
TCP: {B6A36C11-AB5D-4795-82B5-F112EBC675C3} = 93.188.162.84,93.188.161.224
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {901A929E-1477-4b67-94FA-7A8EE43ED159} - rundll32 msfgw32.dll,InitO
Hosts: 194.165.4.145 eggbank.com

============= SERVICES / DRIVERS ===============

R1 a2injectiondriver;a2injectiondriver;c:\program files\emsisoft anti-malware\a2dix86.sys [2010-10-3 41928]
R1 a2util;a-squared Malware-IDS utility driver;c:\program files\emsisoft anti-malware\a2util32.sys [2010-10-3 11776]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-18 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-18 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-18 243024]
R1 SASDIFSV;SASDIFSV;c:\docume~1\marcus~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-6-15 9968]
R1 SASKUTIL;SASKUTIL;c:\docume~1\marcus~1\locals~1\temp\sas_selfextract\SASKUTIL.sys [2010-6-15 74480]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2010-10-3 2909536]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2005-10-4 308136]
R3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2010-10-3 72808]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?]
S3 SASENUM;SASENUM;\??\c:\docume~1\marcus~1\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\marcus~1\locals~1\temp\sas_selfextract\SASENUM.SYS [?]

=============== Created Last 30 ================

2010-10-03 16:01:28 0 d-----w- c:\program files\Emsisoft Anti-Malware
2010-09-29 16:49:07 0 d-----w- C:\spoolerlogs
2010-09-29 14:19:29 0 d-----w- c:\program files\uTorrent
2010-09-29 09:51:10 299520 ----a-w- c:\windows\uninst.exe
2010-09-19 11:12:21 0 d-----w- c:\docume~1\marcus~1\applic~1\Spotify
2010-09-19 11:12:13 0 d-----w- c:\program files\Spotify

==================== Find3M ====================

2010-09-29 11:30:08 58602 ----a-w- c:\docume~1\marcus~1\applic~1\wklnhst.dat
2010-07-12 21:02:57 42320 ----a-w- c:\docume~1\marcus~1\applic~1\GDIPFONTCACHEV1.DAT
2003-09-16 00:19:48 99544 ----a-w- c:\windows\inf\virprn.exe
2003-09-16 00:19:48 18950 ----a-w- c:\windows\inf\virpntd.dll
2003-09-16 00:19:48 10240 ----a-w- c:\windows\inf\virport.dll
2003-09-16 00:19:46 90624 ----a-w- c:\windows\inf\prtproc.dll

============= FINISH: 17:10:37.50 ===============

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

No Way! :oops:

Thankyou very much for pointing this out to me. I've contacted the relevant banks who have suspended online banking until I can be sure the infected computer is clean again. I've also changed the passwords to my ebay, amazon and paypal accounts.

As it happens, I've just got a new laptop from Medion, so I should be OK to use this whilst I reformat the infected one. It is odd however that this problem occurred around the same time I connected the two computers on the same network. It could just be conincidence I suppose.

I do worry - could the new laptop have picked anything up by being networked to the old? It came bundled with Bullguard, which doesn't seem to be picking up any problems. Is this enough security in itself, or would you suggest other security applications to go with it?

Thanks again for your time and advice, I haven't got a clue about this sort of thing, although I know I can manage a reformat and OS install OK.

Hi,


I do worry - could the new laptop have picked anything up by being networked to the old?
If no issues then I'd say it's safe to assume it hasn't picked anything bad.


It came bundled with Bullguard, which doesn't seem to be picking up any problems. Is this enough security in itself, or would you suggest other security applications to go with it?
I'm not familiar with Bullguard so can't say about it. Anyway, please find some good solutions listed next (note: don't install more than one antivirus program in same workstation).

Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html) and
Avast! (http://www.avast.com/eng/download-avast-home.html)

Good commercial ones are from:
Kaspersky (http://www.kaspersky.com/homeuser) and
ESET (http://www.eset.com/products/index.php)

Blade, Yes everything seems OK on the new laptop. Bullguard is the security suite that came bundled with Windows 7, so I suspect it is fairly robust. :police:

I wonder if it was just a computer program that got into my other system? Or a real person? How do they do it? :confused: I know these answers are probably available to me if I google them.

Where does the trojan sit though? Is it safe to bring files and folders over from that system to the new one? I guess I'd do it by memory stick and I should scan them first. I'll have to be more careful in the future. muha:

Most of all though, :thanks:, for making sense of the situation for me. I do wonder though, if the Windows firewall hadn't turned off, how long could I have been under attack without knowing. It's like they made a mistake and 'trod on a twig' if you know what I mean.

As it happened I intended to reformat and reinstall OS anyway, because I've had the laptop for years and it was slowly grinding to a halt. More often than not it would freeze up and I'd have to force it to turn off rather than close down in the proper way. Do you think this was a symptom of the infection at all?

It's all quite exciting, but i can see it could be potentially catastrophic, I have two years worth of business accounts on there, as well as doing online banking and things. Makes you feel a bit queesey :sick:

Hi,

Looking at the log it looks possible bad stuff got there via exploitable vulnerabilities. For example Java and Adobe Reader are badly outdated (and also some of those most exploited ones too).

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.