Infected w Win32.Prolaco.p, Delf.PQB, Dropper.Generic.CKLK, Trojan.Swisyn, others

**I_dream_of_Mercury** · 2010-04-12, 16:51

Blade, hello again

I’ve followed all your instructions, logs below. I’m going to mention a couple of things, in case they are useful to know, but sorry if they’re not of use:

About Bit Torrent and DNA, I wasn’t using them before the infection was first detected. They hadn’t been used since last April, when a friend of mine installed them on my computer.

Something seems strange about my Flash player. I first noticed it several weeks ago, when I last updated it. No matter what I do, I can't seem to get rid of the old player and get a new one.
When I go to test Flash player at that same link you gave, it says it is the latest version, 10.0.45.2. However, when I go to C:\Windows\system32\Macromed\Flash, and hover over the player, it says it’s an older version, “File version: 10.0.22.87,” and shows an old date on it.
So today, I uninstalled and installed a fresh version of Flash player, per your instructions.
It made me install Get(+)plus and Adobe Download Manager, again.
Now, after reinstalling Flash player, it still says I have the latest version, 10.0.45.2, at the test link you gave. But when I go to the folder and hover over the player, it still says older version, File version: 10.0.22.87, created in June 2009.

The only browser I’m running on this computer is IE.

Thank you for helping me!

ComboFix 10-04-11.01 - Owner 04/11/2010 21:13:53.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.198 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\BitTorrent
c:\program files\BitTorrent\BitTorrentIE.2.dll
c:\program files\BitTorrent\uninst.exe
c:\program files\DNA
c:\program files\DNA\plugins\npbtdna.dll
.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.
2010-04-12 03:12 . 2010-04-12 03:19 -------- d-----w- c:\documents and settings\All Users.WINXPHM\Application Data\NOS
2010-04-12 03:12 . 2010-04-12 03:12 -------- d-----w- c:\program files\NOS
2010-04-06 21:56 . 2010-04-06 21:56 -------- d-----w- c:\program files\TrendMicro
2010-04-06 21:40 . 2010-04-06 21:40 -------- d-----w- c:\program files\ERUNT
2010-04-06 05:11 . 2010-04-11 09:14 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-04-06 01:42 . 2010-04-06 01:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-06 01:41 . 2010-04-06 01:41 -------- d-----w- c:\documents and settings\All Users.WINXPHM\Application Data\Malwarebytes
2010-04-06 01:41 . 2010-04-11 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 21:05 . 2010-04-05 21:05 -------- d-----w- c:\documents and settings\All Users.WINXPHM\Application Data\SUPERAntiSpyware.com
2010-04-05 21:05 . 2010-04-05 21:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 21:05 . 2010-04-05 21:05 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-04-05 20:59 . 2010-04-05 20:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-05 20:50 . 2010-04-05 20:50 2388895 ----a-w- C:\MGtools.exe
2010-04-05 19:59 . 2010-04-05 20:00 -------- d-----w- c:\program files\CCleaner
2010-04-05 11:42 . 2010-04-05 11:42 -------- d-----w- c:\program files\Common Files\Java
2010-03-25 12:22 . 2010-04-05 12:21 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 14:52 . 2010-04-05 21:07 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-06 21:56 . 2010-04-06 21:56 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-05 21:07 . 2010-04-05 21:07 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-05 20:29 . 2009-04-06 20:05 -------- d-----w- c:\documents and settings\All Users.WINXPHM\Application Data\Spybot - Search & Destroy
2010-04-05 11:31 . 2010-04-05 11:31 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5da2969d-n\msvcp71.dll
2010-04-05 11:31 . 2010-04-05 11:31 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5da2969d-n\jmc.dll
2010-04-05 11:31 . 2010-04-05 11:31 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5da2969d-n\msvcr71.dll
2010-04-05 11:31 . 2010-04-05 11:31 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6751b1b7-n\decora-sse.dll
2010-04-05 11:31 . 2010-04-05 11:31 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6751b1b7-n\decora-d3d.dll
2010-04-05 11:29 . 2009-04-20 20:44 411368 ----a-w- c:\winxphm\system32\deploytk.dll
2010-03-11 12:38 . 2009-04-06 01:55 832512 ------w- c:\winxphm\system32\wininet.dll
2010-03-11 12:38 . 2009-08-13 05:02 78336 ----a-w- c:\winxphm\system32\ieencode.dll
2010-03-11 12:38 . 2009-04-06 01:54 17408 ----a-w- c:\winxphm\system32\corpol.dll
2010-03-02 18:02 . 2009-04-09 05:08 7442880 ----a-w- c:\winxphm\Internet Logs\tvDebug.Zip
2010-02-23 22:26 . 2010-02-23 22:26 161296 ----a-w- c:\winxphm\system32\drivers\tmcomm.sys
2007-02-23 05:08 . 2008-10-31 19:51 925696 ----a-w- c:\program files\GSpot.exe
2007-02-20 00:28 . 2008-10-31 19:51 117974 -c--a-r- c:\program files\GSpot27.dat
2007-01-17 07:37 . 2008-10-31 19:51 3615 -c--a-r- c:\program files\license.txt
2007-01-17 07:37 . 2008-10-31 19:51 10684 -c--a-r- c:\program files\ExportFormat.txt
2005-12-26 05:24 . 2005-12-26 05:24 895488 ----a-w- c:\program files\iview397.exe
2005-12-26 04:36 . 2005-12-26 14:12 900277 ----a-w- c:\program files\HYDEIST music room.EXE
.
((((((((((((((((((((((((((((( SnapShot@2010-04-11_16.52.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-12 04:08 . 2010-04-12 04:08 16384 c:\winxphm\Temp\Perflib_Perfdata_1a0.dat
- 2010-03-09 05:10 . 2010-03-09 05:10 84507 c:\winxphm\system32\Macromed\Flash\uninstall_activeX.exe
+ 2010-04-12 03:15 . 2010-04-12 03:15 84507 c:\winxphm\system32\Macromed\Flash\uninstall_activeX.exe
- 2009-04-08 23:08 . 2010-04-11 15:12 23040 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-04-08 23:08 . 2010-04-11 17:10 23040 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-04-08 23:08 . 2010-04-11 15:12 61440 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-04-08 23:08 . 2010-04-11 17:10 61440 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-04-08 23:08 . 2010-04-11 17:10 27136 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-04-08 23:08 . 2010-04-11 15:12 27136 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-04-08 23:08 . 2010-04-11 15:12 11264 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-04-08 23:08 . 2010-04-11 17:10 11264 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-04-08 23:08 . 2010-04-11 17:10 86016 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2009-04-08 23:08 . 2010-04-11 15:12 86016 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2009-04-08 23:08 . 2010-04-11 15:12 12288 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-04-08 23:08 . 2010-04-11 17:10 12288 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-04-08 23:08 . 2010-04-11 17:10 4096 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-04-08 23:08 . 2010-04-11 15:12 4096 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-04-08 23:08 . 2010-04-11 17:10 409600 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2009-04-08 23:08 . 2010-04-11 15:12 409600 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-04-08 23:08 . 2010-04-11 17:10 286720 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-04-08 23:08 . 2010-04-11 15:12 286720 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-04-08 23:08 . 2010-04-11 15:12 249856 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-04-08 23:08 . 2010-04-11 17:10 249856 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-04-08 23:08 . 2010-04-11 17:10 794624 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-04-08 23:08 . 2010-04-11 15:12 794624 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-04-08 23:08 . 2010-04-11 15:12 135168 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-04-08 23:08 . 2010-04-11 17:10 135168 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2009-04-08 23:08 . 2010-04-11 15:12 593920 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-04-08 23:08 . 2010-04-11 17:10 593920 c:\winxphm\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winxphm\System32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\winxphm\System32\hkcmd.exe" [2005-10-19 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"IMJPMIG8.1"="c:\winxphm\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\winxphm\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\winxphm\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\winxphm\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 36864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-21 08:10 11952 ----a-w- c:\winxphm\system32\avgrsstx.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winxphm\system32\drivers\avgldx86.sys [4/10/2009 2:33 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winxphm\system32\drivers\avgtdix.sys [4/10/2009 2:33 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/10/2009 2:33 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/10/2009 2:33 AM 297752]
R3 P0630VID;Creative WebCam Live!;c:\winxphm\system32\drivers\P0630Vid.sys [12/20/2009 12:59 PM 91841]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.safer-networking.org/en/index.html
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 21:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winxphm\system32\WININET.dll
.
Completion time: 2010-04-11 21:31:21
ComboFix-quarantined-files.txt 2010-04-12 04:31
ComboFix2.txt 2010-04-11 16:58
Pre-Run: 14,705,389,568 bytes free
Post-Run: 14,677,856,256 bytes free
- - End Of File - - FA5BCDC1B772475EAF3D0F850ABC5104

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, April 12, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, April 12, 2010 02:21:53
Records in database: 3936778
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Objects scanned: 130236
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 05:02:19

File name / Threat / Threats count
C:\MGtools.exe Infected: Trojan-Dropper.Win32.Agent.bvop 1
Selected area has been scanned.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 7:25:53.42 on Mon 04/12/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.200 [GMT -7:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINXPHM\system32\svchost -k DcomLaunch
svchost.exe
C:\WINXPHM\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINXPHM\system32\spoolsv.exe
C:\WINXPHM\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINXPHM\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINXPHM\system32\RunDLL32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINXPHM\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINXPHM\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINXPHM\system32\wscntfy.exe
C:\WINXPHM\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Owner\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.safer-networking.org/en/index.html
mStart Page = about:blank
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [IgfxTray] c:\winxphm\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winxphm\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [IMJPMIG8.1] "c:\winxphm\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\winxphm\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\winxphm\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\winxphm\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - hxxp://www.collarme.com/chat
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238990141514
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winxphm\system32\drivers\avgldx86.sys [2009-4-10 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winxphm\system32\drivers\avgmfx86.sys [2009-4-10 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winxphm\system32\drivers\avgtdix.sys [2009-4-10 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 vsdatant;vsdatant;c:\winxphm\system32\vsdatant.sys [2009-4-6 353672]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-10 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-10 297752]
R3 P0630VID;Creative WebCam Live!;c:\winxphm\system32\drivers\P0630Vid.sys [2009-12-20 91841]
S2 vsmon;TrueVector Internet Monitor;c:\winxphm\system32\zonelabs\vsmon.exe -service --> c:\winxphm\system32\zonelabs\vsmon.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
=============== Created Last 30 ================
2010-04-11 16:27:53 0 d-sha-r- C:\cmdcons
2010-04-11 16:25:46 98816 ----a-w- c:\winxphm\sed.exe
2010-04-11 16:25:46 77312 ----a-w- c:\winxphm\MBR.exe
2010-04-11 16:25:46 261632 ----a-w- c:\winxphm\PEV.exe
2010-04-11 16:25:46 161792 ----a-w- c:\winxphm\SWREG.exe
2010-04-06 21:56:34 0 d-----w- c:\program files\TrendMicro
2010-04-06 01:42:16 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-04-06 01:41:52 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-04-06 01:41:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 21:05:58 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-04-05 21:05:35 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 21:05:35 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-04-05 20:59:40 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-05 20:50:42 2388895 ----a-w- C:\MGtools.exe
2010-04-05 20:24:18 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-05 19:59:53 0 d-----w- c:\program files\CCleaner
2010-04-05 12:34:40 0 d-----w- c:\winxphm\pss
2010-04-05 11:30:22 73728 ----a-w- c:\winxphm\system32\javacpl.cpl
2010-04-03 10:52:54 0 ----a-w- c:\winxphm\00xjvpiu0b1azkr19b978mu8.ini
==================== Find3M ====================
2010-04-05 11:29:59 411368 ----a-w- c:\winxphm\system32\deploytk.dll
2010-03-11 12:38:54 832512 ------w- c:\winxphm\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\winxphm\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\winxphm\system32\corpol.dll
2010-02-23 22:26:53 161296 ----a-w- c:\winxphm\system32\drivers\tmcomm.sys
2007-02-23 05:08:08 925696 ----a-w- c:\program files\GSpot.exe
2007-02-20 00:28:02 117974 -c--a-r- c:\program files\GSpot27.dat
2007-01-17 07:37:50 3615 -c--a-r- c:\program files\license.txt
2007-01-17 07:37:50 10684 -c--a-r- c:\program files\ExportFormat.txt
2005-12-26 05:24:22 895488 ----a-w- c:\program files\iview397.exe
2005-12-26 04:36:09 900277 ----a-w- c:\program files\HYDEIST music room.EXE
============= FINISH: 7:27:03.28 ===============

Attach log:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/5/2009 7:20:48 PM
System Uptime: 4/12/2010 7:23:33 AM (0 hours ago)
Motherboard: Dell Computer Corp. | | 0G1548
Processor: Intel(R) Celeron(R) CPU 2.20GHz | Microprocessor | 2192/400mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 74 GiB total, 13.544 GiB free.
D: is CDROM ()
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP373: 3/3/2010 7:06:58 AM - System Checkpoint
RP374: 3/4/2010 7:45:01 AM - System Checkpoint
RP375: 3/5/2010 8:37:03 AM - System Checkpoint
RP376: 3/6/2010 8:43:34 AM - System Checkpoint
RP377: 3/7/2010 9:43:34 AM - System Checkpoint
RP378: 3/8/2010 10:55:34 AM - System Checkpoint
RP379: 3/9/2010 5:55:28 AM - Avg8 Update
RP380: 3/10/2010 6:17:00 AM - System Checkpoint
RP381: 3/11/2010 12:00:24 AM - Software Distribution Service 3.0
RP382: 3/12/2010 12:44:33 AM - System Checkpoint
RP383: 3/13/2010 3:20:34 AM - System Checkpoint
RP384: 3/14/2010 6:32:51 AM - System Checkpoint
RP385: 3/15/2010 7:40:37 AM - System Checkpoint
RP386: 3/16/2010 10:47:41 AM - System Checkpoint
RP387: 3/17/2010 11:47:28 AM - System Checkpoint
RP388: 3/18/2010 1:26:56 PM - System Checkpoint
RP389: 3/18/2010 11:41:47 PM - Avg8 Update
RP390: 3/18/2010 11:44:08 PM - Avg8 Update
RP391: 3/20/2010 12:40:47 AM - System Checkpoint
RP392: 3/21/2010 1:53:14 AM - System Checkpoint
RP393: 3/22/2010 3:54:36 AM - System Checkpoint
RP394: 3/23/2010 6:31:41 AM - System Checkpoint
RP395: 3/24/2010 7:57:22 AM - System Checkpoint
RP396: 3/25/2010 8:28:49 AM - System Checkpoint
RP397: 3/26/2010 10:53:55 AM - System Checkpoint
RP398: 3/27/2010 11:28:51 AM - System Checkpoint
RP399: 3/28/2010 12:28:52 PM - System Checkpoint
RP400: 3/29/2010 1:28:50 PM - System Checkpoint
RP401: 3/30/2010 2:24:31 PM - System Checkpoint
RP402: 3/30/2010 11:55:20 PM - Software Distribution Service 3.0
RP403: 4/1/2010 1:13:32 AM - System Checkpoint
RP404: 4/2/2010 1:47:32 AM - System Checkpoint
RP405: 4/3/2010 4:13:55 AM - System Checkpoint
RP406: 4/4/2010 4:42:08 AM - System Checkpoint
RP407: 4/5/2010 4:12:31 AM - Removed Java(TM) 6 Update 13
RP408: 4/5/2010 4:29:47 AM - Installed Java(TM) 6 Update 19
RP409: 4/5/2010 2:05:33 PM - Installed SUPERAntiSpyware Free Edition
RP410: 4/6/2010 2:56:32 PM - Installed HiJackThis
RP411: 4/7/2010 3:27:25 PM - System Checkpoint
RP412: 4/8/2010 4:27:19 PM - System Checkpoint
RP413: 4/9/2010 5:27:19 PM - System Checkpoint
RP414: 4/10/2010 6:27:24 PM - System Checkpoint
==== Installed Programs ======================
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Advanced Video FX Utility
AVG 8.5
BCM V.92 56K Modem
CCleaner
Creative Photo Manager
Creative WebCam Center
Creative WebCam Live! Driver (1.02.03.0606)
Creative WebCam Live! User's Guide (English)
ERUNT 1.1j
Foxit Reader
Get Yahoo! Messenger
HiJackThis
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) Extreme Graphics Driver
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 19
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SightSpeed (remove only)
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VLC media player 1.0.5
WebCam Live! Product Registration
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.2.1 final uninstall
ZoneAlarm
==== Event Viewer Messages From Past Week ========
4/5/2010 4:14:57 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
==== End Of File ===========================

**Blade81** · 2010-04-12, 17:20

Hi,

Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop.

Code:

c:\qoobox\quarantine\c\windows\$hf_mig$\KB890046\spuninst.exe.vir
c:\qoobox\quarantine\c\windows\$hf_mig$\KB890046\update\update.exe.vir
c:\qoobox\quarantine\c\windows\$hf_mig$\KB890859\SP2GDR\ntkrnlmp.exe.vir
c:\qoobox\quarantine\c\windows\$xpsp1hfm$\Q817606\spuninst.exe.vir
c:\qoobox\quarantine\c\windows\Help\Tours\mmTour\tour.exe.vir
c:\qoobox\quarantine\c\windows\hh.exe.vir
c:\qoobox\quarantine\c\windows\notepad.exe.vir
c:\qoobox\quarantine\c\windows\zllsputility.exe.vir

Please upload the file to this website

Kindly include a link to this topic in the message.

Delete these files:
C:\MGtools.exe
c:\winxphm\00xjvpiu0b1azkr19b978mu8.ini

Something seems strange about my Flash player. I first noticed it several weeks ago, when I last updated it. No matter what I do, I can't seem to get rid of the old player and get a new one.

Your current Windows installation seems to be in c:\winxphm folder. That means Flash installation should be in c:\winxphm\system32\Macromed\Flash folder. See if correct version exists there.

**I_dream_of_Mercury** · 2010-04-12, 22:28

Blade, I submitted that file as you instructed and linked it to your post and this thread. I deleted the two files.

You're right about the current version of Flash player being at c:\winxphm\system32\Macromed\Flash folder ! You are wise! The other question is, why won't it let me delete the old Flash player and its folder, if it's not in use?

**Blade81** · 2010-04-13, 07:02

Hi,

Thanks for the file submission.

The other question is, why won't it let me delete the old Flash player and its folder, if it's not in use?

Do you mean old version in C:\Windows\system32\Macromed\Flash folder? You have to take ownership of the file (instructions here).

How's the system running now?

**I_dream_of_Mercury** · 2010-04-13, 14:27

My system is running much faster than it was before we started

(I don't expect it to run too very fast, because it's outdated.) Do you think it is successfully cleaned, now? Or is it too early to be excited?

Regarding the Flash player, I only wanted to get rid of the old one because I thought was a vulnerability. I tried to reboot into Safe mode, but when I did, I got a screen with only this line on it:
Multi(0)disk(0)rdisk(0)partition(1)\WINXPHM\system32\ntoskrnl.exe
I had to hard boot out of it, so I haven't taken ownership, yet.

When it's safe to do so, I want to move my files off of this computer, on to another one. Would you please advise me on how to do this safely? If it makes any difference, there is more than one install on it; one other one has older files on it, but the install I'm using is the one with the infection.

I'm also concerned whether someone was able to steal private information during this infection. Do you think it's likely, based upon the sort of infection it is? At one point, before I got an AVG alert of this infection, my system was skipping keystrokes - that is, I was typing, but not all the strokes were appearing on the screen. This only went on a short time, but it makes me wonder now. By the way, have you been able to identify what the name of the infection is or how I allowed it onto my computer? I'm usually so cautious.

And, I don't know if it's alright to ask, but what security software set-up do you find most effective? I'm willing to put up with alerts, if it means I can protect my privacy and security. I really want to prevent future intrusions on my system.

**Blade81** · 2010-04-13, 17:46

Hi,

When it's safe to do so, I want to move my files off of this computer, on to another one. Would you please advise me on how to do this safely?

I believe it would be ok to transfer files now. Seeing how there're multiple Windows installations there I recommend you reformat the system and create a fresh Windows installation after transfering those needed files.

I'm also concerned whether someone was able to steal private information during this infection. Do you think it's likely, based upon the sort of infection it is?

It's never a bad idea to change online passwords if infection hits the system. I recommend to read this topic. It holds some info about things that could had caused infection.

And, I don't know if it's alright to ask, but what security software set-up do you find most effective?

Good free antivirus programs are:
Antivir
Avast! and
AVG Free Antivirus

Good commercial ones are from:
Kaspersky and
ESET

For firewall I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo SafeSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!).

**I_dream_of_Mercury** · 2010-04-14, 13:35

Originally Posted by Blade81

I believe it would be ok to transfer files now.

Really? That's great news! ah, I'm so relieved!!

Blade, while the infection was still active, I saved some vital files on a flash drive, a little 1GB thumb drive. Would it be too complicated to clean it, so it can be used again?

It's never a bad idea to change online passwords if infection hits the system. I recommend to read this topic. It holds some info about things that could had caused infection.

Thanks for bringing my attention to that. Reading that, I've just changed all my most important passwords. :P I'm going to have a time re-memorizing them!

I've looked at that topic you recommend, but I'll go over it more carefully, now.

Good free antivirus programs are:
Antivir
Avast! and
AVG Free Antivirus

Good commercial ones are from:
Kaspersky and
ESET

For firewall I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo SafeSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!).

I'm very grateful for your recommendations, to help me make the right security choices.

**Blade81** · 2010-04-14, 17:14

Hi,

Blade, while the infection was still active, I saved some vital files on a flash drive, a little 1GB thumb drive. Would it be too complicated to clean it, so it can be used again?

You can scan the drive with Kaspersky online scanner

**I_dream_of_Mercury** · 2010-04-18, 16:09

Originally Posted by Blade81

Hi,

You can scan the drive with Kaspersky online scanner

Blade, hello again!

I had to be away for a couple of days, from finishing this process.

I scanned the thumbnail drive as you advised, with Kaspersky online scanner, and it came up clean. I then scanned it with AVG. Then I scanned my system with Spybot S&D, while the thumbnail drive was plugged in. They reported it was clean, too! Yeay!

Does the infection this computer had have a name, other than the various Trojan names that came up? Is one of them the original problem?

On the computer I'm moving files to, I've installed Online Armor and Avira, from your recommendations. I'm wondering if a cleaner and site checker are necessary, such as CCleaner and WOT.

If it is getting near complete, I want to thank you so much! for sharing your great expertise with me! You've been patient with my lack of knowledge and thorough in doing a difficult job, so that I could avoid losing my important files or possible identity theft. You've been great:

**Blade81** · 2010-04-18, 17:27

Hi,

Does the infection this computer had have a name, other than the various Trojan names that came up? Is one of them the original problem?

Different protection software detect infections with different names. Likely those found ones were part of the original problem.

I'm wondering if a cleaner and site checker are necessary, such as CCleaner and WOT.

WOT is ok. If you install CCleaner I recommend to not use registry cleaning component. Registry cleaners tend to cause more trouble than they give benefits.

Thread: Infected w Win32.Prolaco.p, Delf.PQB, Dropper.Generic.CKLK, Trojan.Swisyn, others

Thread Tools

Display

Tags for this Thread

Posting Permissions