help with Backdoor Trojan

[lilcrooky]

Hi can anyone help me with advise on how to remove a virus my PC seemed to get 2 days ago, its called `Backdoor:Win32.Nuwar.A` and seems to be in at least one folder `AppData/local.asam. and possibly in AppData/local.syssvc too (according to Microsft Security Essentials, as it asks me to send info on those files everytime it has to clean Backdoor/Win32.Nuwar.A from system)

My Microsoft Security Essentials, has detected, deleted this virus over and over in the past 48hrs since it showed up, but it just keeps repeated popping back and having to repeat scans and deletes time after time.

Im stumped on what to do, i rarely ever get any viruses or any cause for Microsoft Security Essentials to be called into action, however past rare problems have been dealt with and deleted 1st time no probs, but this virus just keeps coming back for more, and ive no idea what to do since Microsoft Security Essentials doesnt seem to be able to deal with it this time.

Many Thanks.

Allison.

Im really sorry, I should have read more carefully what info i needed to include with my description, im a noob, i apologise, after re-reading more carefully the "before you post" topic before my 1st post above, Ionly hope i now get it right and put the bits in right in this second post, or my secret identity as a Blonde air-head will be blown. lol.... here goes...

DDS (Ver_10-03-17.01) - NTFSx86
Run by Allison at 1:17:22.41 on 14/05/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1534.867 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Allison\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QP0OFCO2\dds[1].scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [dwdttuvn] c:\users\allison\appdata\local\xxaimewmp\lrijxgmtssd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\allison\appdata\roaming\mozilla\firefox\profiles\v1soe1id.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.bearshare.com//web?src=ffb&q=
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\users\allison\appdata\roaming\mozilla\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
S2 IK;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]

=============== Created Last 30 ================

2010-05-13 07:28:45 4838 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-05-12 02:37:40 157634354 ----a-w- c:\windows\MEMORY.DMP
2010-05-01 02:58:20 0 d-----w- c:\programdata\1468
2010-04-27 23:09:52 0 d-----w- c:\program files\common files\DivX Shared
2010-04-27 23:09:06 0 d-----w- c:\program files\DivX
2010-04-27 23:08:36 0 d-----w- c:\programdata\DivX
2010-04-27 16:55:30 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-04-20 09:46:04 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-04-20 09:46:03 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-04-20 09:46:00 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-04-20 09:45:58 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-04-20 09:35:41 0 d--h--w- c:\windows\msdownld.tmp
2010-04-20 09:35:35 0 d-----w- c:\windows\system32\directx
2010-04-19 17:18:27 0 d-----w- c:\program files\Microsoft Security Essentials

==================== Find3M ====================

2010-04-20 15:35:46 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-20 15:25:39 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-20 15:25:39 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-17 17:24:40 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-02-24 10:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-10 17:26:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-05 12:27:47 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-12-18 17:00:45 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 1:18:24.26 ===============

[peku006]

Hello and to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

• If you don't know or understand something please don't hesitate to ask
• Please DO NOT run any other tools or scans whilst I am helping you.
• It is important that you reply to this thread. Do not start a new topic.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
• Absence of symptoms does not mean that everything is clear.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006

[lilcrooky]

ComboFix 10-05-16.02 - Allison 17/05/2010 19:36:33.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1534.886 [GMT 1:00]
Running from: c:\users\Allison\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
.

2010-05-15 17:28 . 2010-05-15 17:28 -------- d-----w- c:\users\Allison\AppData\Roaming\Safer Networking
2010-05-15 17:26 . 2010-05-15 17:28 -------- d-----w- c:\program files\Safer Networking
2010-05-14 13:39 . 2010-05-14 13:39 2855 ----a-w- c:\users\Allison\AppData\Local\syssvc.PIF
2010-05-14 01:19 . 2010-05-14 01:24 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-14 01:19 . 2010-05-14 01:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-14 01:10 . 2010-05-14 01:12 -------- d-----w- c:\program files\ERUNT
2010-05-13 07:21 . 2010-05-13 07:21 61184 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{EAB66D24-8614-3E15-A4B7-BE2D7054983A}-asam.exe
2010-05-12 03:24 . 2010-05-12 03:24 61184 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{0D7CE56F-74E6-6B51-C4F9-A8D568E6C3D3}-asam.exe
2010-05-12 03:17 . 2010-05-12 03:17 2855 ----a-w- c:\users\Allison\AppData\Local\asam.PIF
2010-05-12 01:12 . 2010-05-12 01:12 61184 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{20C19514-C1F7-28B5-4721-19085FA3684C}-syssvc.exe
2010-05-01 02:58 . 2010-05-01 02:58 -------- d-----w- c:\programdata\1468
2010-04-27 23:11 . 2010-04-27 23:11 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-27 23:11 . 2010-04-27 23:08 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-04-27 23:11 . 2010-04-06 11:04 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-27 23:10 . 2010-04-27 23:10 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-27 23:10 . 2010-04-27 23:10 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-04-27 23:10 . 2010-04-27 23:10 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-04-27 23:10 . 2010-04-27 23:10 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-04-27 23:10 . 2010-04-27 23:10 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-27 23:09 . 2010-04-27 23:09 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-04-27 23:09 . 2010-04-27 23:09 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-27 23:09 . 2010-04-27 23:10 -------- d-----w- c:\program files\DivX
2010-04-27 23:08 . 2010-04-27 23:10 -------- d-----w- c:\programdata\DivX
2010-04-27 16:55 . 2010-04-27 16:55 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-04-20 09:46 . 2010-02-04 09:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-04-20 09:46 . 2010-02-04 09:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-04-20 09:46 . 2010-02-04 09:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-04-20 09:45 . 2010-02-04 09:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-04-20 09:35 . 2010-04-20 09:42 -------- d--h--w- c:\windows\msdownld.tmp
2010-04-19 17:18 . 2010-04-19 17:18 -------- d-----w- c:\program files\Microsoft Security Essentials

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-13 22:11 . 2010-05-13 07:28 4838 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-05-06 14:04 . 2009-12-08 11:55 1356 ----a-r- c:\users\Allison\AppData\Local\d3d9caps.dat
2010-05-01 04:09 . 2009-12-22 22:29 -------- d-----w- c:\program files\Google
2010-04-20 15:25 . 2010-03-21 02:38 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-04-18 16:37 . 2009-11-28 13:45 99864 ----a-w- c:\users\Allison\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-17 17:24 . 2010-03-20 16:31 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-04-14 15:19 . 2009-12-15 04:52 -------- d-----w- c:\programdata\NOS
2010-04-13 21:16 . 2010-04-13 21:16 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb34AA.tmp.exe
2010-04-12 18:05 . 2009-11-28 14:02 -------- d-----w- c:\program files\World of Warcraft
2010-04-06 18:30 . 2010-04-06 18:30 -------- d-----w- c:\programdata\WindowsSearch
2010-03-26 19:57 . 2010-03-26 19:57 -------- d-----w- c:\users\Kids\AppData\Roaming\Logitech
2010-03-26 05:55 . 2009-12-17 15:45 -------- d-----w- c:\program files\Steam
2010-03-26 05:35 . 2009-11-30 17:05 -------- d-----w- c:\programdata\Apple Computer
2010-03-24 21:06 . 2010-03-24 21:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AcrobatUpdater.exe
2010-03-21 02:40 . 2010-03-21 02:40 53248 ----a-r- c:\users\Allison\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-03-21 02:40 . 2010-01-19 18:07 -------- d-----w- c:\programdata\LogiShrd
2010-03-21 02:39 . 2010-03-21 02:39 -------- d-----w- c:\program files\Common Files\SetPointG
2010-03-21 02:39 . 2010-03-21 02:39 -------- d-----w- c:\program files\Common Files\SetPointP
2010-03-20 16:25 . 2010-03-20 16:22 -------- d-----w- c:\users\Allison\AppData\Roaming\Logitech
2010-03-20 16:23 . 2010-03-20 16:22 -------- d-----w- c:\users\Allison\AppData\Roaming\Logishrd
2010-03-20 12:59 . 2010-01-27 17:32 -------- d-----w- c:\programdata\Microsoft Help
2010-03-20 09:52 . 2010-03-12 11:10 -------- d-----w- c:\program files\Canon
2010-03-20 09:50 . 2010-03-12 07:12 -------- d-----w- c:\users\Allison\AppData\Roaming\Canon
2010-03-20 09:28 . 2009-12-17 15:46 -------- d-----w- c:\program files\Common Files\Steam
2010-02-24 10:16 . 2009-11-29 10:47 181632 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-29 61440]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\users\Kids\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office Groove.lnk - c:\program files\Microsoft Office\Office12\GROOVE.EXE [2007-8-29 340856]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\users\Allison\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
taskmgr shortcut.lnk - c:\windows\System32\taskmgr.exe [2008-1-21 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EvtMgr6]
2010-01-27 11:30 1312848 ----a-w- c:\program files\Common Files\SetPointP\SetPoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):36,7a,29,09,1b,92,ca,01

R2 IK;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-05-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-05-14 14:31]

2010-05-14 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2010-05-14 14:31]

2010-05-17 c:\windows\Tasks\User_Feed_Synchronization-{3BA4D43F-A437-4B6A-A315-69B39969253D}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]

2010-05-17 c:\windows\Tasks\User_Feed_Synchronization-{850964FB-6DB5-4D9A-9069-350105764764}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]

2010-05-17 c:\windows\Tasks\User_Feed_Synchronization-{D58A8518-80BB-4064-9FA8-053C5566BE4A}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Allison\AppData\Roaming\Mozilla\Firefox\Profiles\v1soe1id.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.bearshare.com//web?src=ffb&q=
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\users\Allison\AppData\Roaming\Mozilla\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-dwdttuvn - c:\users\Allison\AppData\Local\xxaimewmp\lrijxgmtssd.exe
MSConfigStartUp-DriverUpdaterPro - c:\program files\CleverTune Software\Driver Updater Pro\DriverUpdaterPro.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 19:43
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-17 19:47:10
ComboFix-quarantined-files.txt 2010-05-17 18:47

Pre-Run: 79,005,655,040 bytes free
Post-Run: 87,193,210,880 bytes free

Current=3 Default=3 Failed=4 LastKnownGood=5 Sets=1,3,4,5
- - End Of File - - 830DF9DADC585540C9C2F85F93AF2443

[peku006]

Hi lilcrooky

1 - Download and Run Malwarebytes' Anti-Malware

Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware and save it to your desktop. If needed...Tutorial w/screenshots
Alternate download sites available here or here.

1. Make sure you are connected to the Internet.
2. Double-click on mbam-setup.exe to install the application.
3. When the installation begins, follow the prompts and do not make any changes to default settings.
4. When installation has finished, make sure you leave both of these checked:
   • Update Malwarebytes' Anti-Malware
   • Launch Malwarebytes' Anti-Malware
   • Then click Finish.
   MBAM will automatically start and you will be asked to update the program before performing a scan.
   • If an update is found, the program will automatically update itself.
   • Press the OK button to close that box and continue.
   • Problems downloading the updates? Manually download them from here and double-click on "mbam-rules.exe" to install.

On the Scanner tab:

1. Make sure the "Perform full scan" option is selected.
2. Then click on the Scan button.
3. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
4. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
5. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
6. Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

1. Click on the Show Results button to see a list of any malware that was found.
2. Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
   We will take care of the System Volume Information items later.
3. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
4. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
   The log can also be found here:
   C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
5. Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - Status Check
Please reply with

the Malwarebytes' Anti-Malware Log

Thanks peku006

[lilcrooky]

I also forgot to mention that i have been un-able to perform any Windows Updates at all since 16/02/2010, when i try to access the Windows Update via control panel it crashes the control panel (>control panel >system and maintenence >windows update) screen the second i click on Windows Update, and the crashed control panel screen can then only be removed again via the task manager (selecting the crashed control window in the application tab on taskmanager and clicking end task, which opens a small window saying it is not rsponding giving me the option to `end now` which i do) and when i do that it pops up with a window saying `Windows Explorer is not responding` >check for a solution and close the program (it checks but never offers a solution/no solutions found) & >close the program & view problem details (Description:
A problem caused this program to stop interacting with Windows.

Problem signature:
Problem Event Name: AppHangXProcB1
Application Name: Explorer.EXE
Application Version: 6.0.6002.18005
Application Timestamp: 49e01da5
Hang Signature: 82aa
Hang Type: 6208
Waiting on Application Name: svchost.exe:{9b1f122c-2982-4e91-aa8b-e071d54f2a4d}
Waiting on Application Version: 0.0.0.0
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 2057
Additional Hang Signature 1: cc926d7385ddf3e3f97224a44dccc56f
Additional Hang Signature 2: 49ca
Additional Hang Signature 3: 3fb2b40050b6728d372f689f24329bc1
Additional Hang Signature 4: 82aa
Additional Hang Signature 5: cc926d7385ddf3e3f97224a44dccc56f
Additional Hang Signature 6: 49ca
Additional Hang Signature 7: 3fb2b40050b6728d372f689f24329bc1

Read our privacy statement:
http://go.microsoft.com/fwlink/?link...3&clcid=0x0409)

Ive also noticed for a couple of months whenever task manager is open the CPU usage (bar/graph) is always at 100% when i check this via >task manager >performance >resource monitor >CPU, it shows `svchost.exe` always at top of that list, using `average CPU` amount of 72%-81%(changes constantly while looking at it but is normal between those figures) and old `generate health reports` through the resource monitor has pointed somewthing out to do with `svchost.exe` files that ofc i couldnt understand. Seems incredibly high even to a tech novice like myself, noting else comes close on the `average CPU` list (any thing listed under svchost.exe, of many there) in %, so wondered if that was usual too?

Sorry im pc illiterate, but i can just about find my way around, esp if helped/pointed in right direction, and would love to get to the bottom of the:

Windows Update issue
CPU usage issue
Backdoor:Win32/Nuwar.A
Trojan:Win32/FakeSpypro

and any other issues my pc may have that hasnt been spotted (those four issues/problems/viruses are merely the issues ive managed to see/detect so far, but there may be ones that were not as obvious as those to spot, and therefore gone easily unspotted by my very untrained eye) and listed above, and restore some normality back to my system, and ofc learn how to prevent such occurances happing again, once these ones are resolved to prevent things getting to this state again, im hoping to deal with em then happy to learn from past mistakes to prevent it happening again.

Thanks for the time and help on this so far...

Allison.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4111

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

18/05/2010 14:47:56
mbam-log-2010-05-18 (14-47-56).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 255960
Time elapsed: 1 hour(s), 37 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[peku006]

Hi Allison

Lets take a "deeper look"

Download OTL by Old Timer and save it to your Desktop.

• Double click on OTL.exe to run it.
• Under Output, ensure that Minimal Output is selected.
• Under Extra Registry section, select Use SafeList.
• Click the Scan All Users checkbox.
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  
  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Please post the contents of these 2 Notepad files in your next reply.

Thanks peku006