Author Topic: Nasty Virus (Read 4245 times)

crowman · « **on:** April 28, 2009, 04:48:03 PM »

Hi I would appreciate any help with my daughters (secondhand) laptop which is badly infected. It is running xp pro. Denies access to the internet. Denies access to antivirus or Trend Micro etc. I have installed the following by disc. Avast. Malwarebytes. prevx. sophos. Spyhunter. Winpatrol. CC cleaner. Here are their logs.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:03:23, on 28/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
O2 - BHO: (no name) - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - (no file)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -scan
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [2762828] C:\WINDOWS\TEMP\\2762828.exe
O4 - HKLM\..\Run: [warn default inter for] C:\Documents and Settings\All Users\Application Data\Time Dead Warn Default\that 32.exe
O4 - HKLM\..\Run: [Radio-TV adverts] C:\WINDOWS\Temp\rtv_winupd.exe
O4 - HKLM\..\Run: [VT100 Emulator] C:\WINDOWS\system32\VT100.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [] C:\WINDOWS\TEMP\bbzo6bof8.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\b76fvalu.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\yapigifa.dll ,c:\progra~1\ThunMail\testabd.dll
O20 - Winlogon Notify: sigpgfwc - pgrygka.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6211 bytes

Logfile of random's system information tool 1.06 (written by random/random)
Run by B's at 2009-04-28 15:53:39
Microsoft Windows XP Professional Service Pack 2
System drive C: has 70 GB (94%) free of 75 GB
Total RAM: 894 MB (38% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:53:41, on 28/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\B's\UserData\A2PVYNG7\My Documents\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\B's.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
O2 - BHO: (no name) - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - (no file)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -scan
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [2762828] C:\WINDOWS\TEMP\\2762828.exe
O4 - HKLM\..\Run: [warn default inter for] C:\Documents and Settings\All Users\Application Data\Time Dead Warn Default\that 32.exe
O4 - HKLM\..\Run: [Radio-TV adverts] C:\WINDOWS\Temp\rtv_winupd.exe
O4 - HKLM\..\Run: [VT100 Emulator] C:\WINDOWS\system32\VT100.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [] C:\WINDOWS\TEMP\bbzo6bof8.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\b76fvalu.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\yapigifa.dll ,c:\progra~1\ThunMail\testabd.dll
O20 - Winlogon Notify: sigpgfwc - pgrygka.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5703 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2BA40A2-74F0-42BD-F434-12345A2C8953}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2008-08-11 2903040]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-08-11 16269824]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2008-08-11 90112]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-12-11 364544]
"Media Codec Update Service"=C:\Program Files\Essentials Codec Pack\update.exe [2007-04-08 323584]
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE [2002-02-04 73728]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-02-16 981384]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-02-01 1103240]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"SpyHunter Security Suite"=C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2009-04-02 868352]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2009-04-20 337216]
"2762828"=C:\WINDOWS\TEMP\\2762828.exe []
"warn default inter for"=C:\Documents and Settings\All Users\Application Data\Time Dead Warn Default\that 32.exe [2009-04-25 739328]
"Radio-TV adverts"=C:\WINDOWS\Temp\rtv_winupd.exe []
"VT100 Emulator"=C:\WINDOWS\system32\VT100.EXE [2009-04-25 132608]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 35840]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1688064]
""=C:\WINDOWS\TEMP\bbzo6bof8.exe []
"HijackThis startup scan"=C:\Program Files\Trend Micro\HijackThis\HijackThis.exe [2009-04-25 417280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Update Agent.lnk - C:\Program Files\3\3Connect\AutoUpdateSrv.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\yapigifa.dll ,c:\progra~1\ThunMail\testabd.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-08-11 47104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sigpgfwc]
pgrygka.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\yapigifa.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Documents and Settings\B's\Desktop\utorrent.exe"="C:\Documents and Settings\B's\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Guild Wars\Gw.exe"="C:\Program Files\Guild Wars\Gw.exe:*:Enabled:Guild Wars"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"
"C:\WINDOWS\system32\services.exe"="C:\WINDOWS\system32\services.exe:*:enabled:@shell32.dll,-1"
"C:\WINDOWS\Temp\2762828.exe"="C:\WINDOWS\Temp\2762828.exe:*:Enabled:2762828"
"C:\WINDOWS\system32\VT100.EXE"="C:\WINDOWS\system32\VT100.EXE:*:Enabled:VT100 Emulator"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5eb04089-67ae-11dd-bf80-001b240f2a51}]
shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa3351c6-eca7-11dd-bfa4-001b240f2a51}]
shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa3351c8-eca7-11dd-bfa4-001b240f2a51}]
shell\AutoRun\command - F:\AutoRun.exe

======File associations======

.ini - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.txt - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2009-04-28 15:50:36 ----D---- C:\rsit
2009-04-28 00:41:59 ----D---- C:\Documents and Settings\B's\Application Data\WinPatrol
2009-04-28 00:41:50 ----D---- C:\Program Files\BillP Studios
2009-04-27 23:56:04 ----D---- C:\Program Files\Enigma Software Group
2009-04-27 23:50:24 ----D---- C:\Program Files\Prevx
2009-04-27 23:50:17 ----D---- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2009-04-27 23:50:17 ----A---- C:\WINDOWS\wininit.ini
2009-04-27 21:54:42 ----D---- C:\Program Files\Sophos
2009-04-27 20:27:56 ----A---- C:\WINDOWS\system32\jksahfo93wjfkd.dll
2009-04-26 19:14:40 ----D---- C:\WINDOWS\system32\appmgmt
2009-04-26 02:47:33 ----D---- C:\Documents and Settings\B's\Application Data\Malwarebytes
2009-04-26 02:47:26 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-26 02:47:26 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-26 00:37:45 ----A---- C:\WINDOWS\system32\MSVCP71.dll
2009-04-26 00:37:45 ----A---- C:\WINDOWS\system32\MFC71.dll
2009-04-26 00:37:45 ----A---- C:\WINDOWS\system32\aswBoot.exe
2009-04-26 00:37:43 ----D---- C:\Program Files\Alwil Software
2009-04-25 19:39:18 ----N---- C:\WINDOWS\system32\VT100.EXE
2009-04-25 19:39:09 ----RSHD---- C:\Program Files\ThunMail
2009-04-25 19:08:13 ----D---- C:\Program Files\Trend Micro
2009-04-25 16:14:25 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-04-25 16:12:53 ----D---- C:\Program Files\Spyware Doctor
2009-04-25 16:12:53 ----D---- C:\Documents and Settings\B's\Application Data\PC Tools
2009-04-25 13:35:33 ----D---- C:\WINDOWS\pss
2009-04-24 16:49:50 ----SH---- C:\WINDOWS\system32\evatuyur.ini
2009-04-22 22:29:08 ----D---- C:\Documents and Settings\All Users\Application Data\Time Dead Warn Default
2009-04-17 13:11:55 ----HD---- C:\WINDOWS\msdownld.tmp
2009-04-09 22:08:06 ----D---- C:\Documents and Settings\B's\Application Data\MailFrontier
2009-04-09 22:03:31 ----A---- C:\WINDOWS\zllsputility.exe
2009-04-09 22:03:11 ----A---- C:\WINDOWS\system32\vsregexp.dll
2009-04-09 22:02:58 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2009-04-09 22:02:58 ----A---- C:\WINDOWS\system32\zlcomm.dll
2009-04-09 22:02:51 ----A---- C:\WINDOWS\system32\vswmi.dll
2009-04-09 22:02:49 ----A---- C:\WINDOWS\system32\zpeng25.dll
2009-04-09 22:02:49 ----A---- C:\WINDOWS\system32\vsxml.dll
2009-04-09 22:02:48 ----D---- C:\WINDOWS\system32\ZoneLabs
2009-04-09 22:02:48 ----A---- C:\WINDOWS\system32\vspubapi.dll
2009-04-09 22:02:48 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2009-04-09 22:01:54 ----A---- C:\WINDOWS\system32\vsutil.dll
2009-04-09 22:01:54 ----A---- C:\WINDOWS\system32\vsinit.dll
2009-04-09 22:01:54 ----A---- C:\WINDOWS\system32\vsdata.dll
2009-04-09 21:59:40 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-04-09 21:59:36 ----HDC---- C:\WINDOWS\$NtUninstallKB943232$
2009-04-09 21:59:22 ----D---- C:\Program Files\Zone Labs
2009-04-09 21:56:59 ----D---- C:\WINDOWS\Internet Logs
2009-04-09 21:01:39 ----D---- C:\Program Files\CCleaner

======List of files/folders modified in the last 1 months======

2009-04-28 15:50:44 ----D---- C:\WINDOWS\Prefetch
2009-04-28 15:49:20 ----D---- C:\WINDOWS\Temp
2009-04-28 15:40:40 ----D---- C:\WINDOWS\system32\drivers
2009-04-28 15:38:14 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-28 15:36:21 ----D---- C:\WINDOWS
2009-04-28 15:36:11 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-28 15:35:23 ----D---- C:\Program Files\Mozilla Firefox
2009-04-28 00:41:50 ----RD---- C:\Program Files
2009-04-27 23:56:08 ----D---- C:\WINDOWS\system32
2009-04-27 21:03:05 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-27 20:28:46 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-04-27 20:28:28 ----SHD---- C:\WINDOWS\Installer
2009-04-27 20:27:51 ----H---- C:\WINDOWS\system32\ntoskrnl.exe
2009-04-27 20:27:15 ----D---- C:\Program Files\Common Files
2009-04-26 04:01:16 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
2009-04-26 01:12:40 ----D---- C:\WINDOWS\system32\config
2009-04-25 23:51:32 ----D---- C:\Program Files\Google
2009-04-25 23:51:32 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-04-25 23:40:11 ----D---- C:\WINDOWS\SoftwareDistribution
2009-04-25 23:39:36 ----SD---- C:\WINDOWS\Tasks
2009-04-25 22:34:09 ----SHD---- C:\System Volume Information
2009-04-25 22:34:09 ----D---- C:\WINDOWS\system32\Restore
2009-04-25 19:56:39 ----D---- C:\Documents and Settings\B's\Application Data\uTorrent
2009-04-25 19:38:32 ----A---- C:\WINDOWS\system32\svchost.exe
2009-04-25 19:38:22 ----ASH---- C:\WINDOWS\system32\norupeze.exe
2009-04-25 16:14:13 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-25 15:54:59 ----SH---- C:\boot.ini
2009-04-25 15:54:59 ----A---- C:\WINDOWS\win.ini
2009-04-25 15:54:59 ----A---- C:\WINDOWS\system.ini
2009-04-25 14:33:15 ----HD---- C:\WINDOWS\inf
2009-04-25 14:29:14 ----HD---- C:\Program Files\InstallShield Installation Information
2009-04-24 16:49:42 ----ASH---- C:\WINDOWS\system32\numisufe.dll
2009-04-24 16:49:40 ----ASH---- C:\WINDOWS\system32\yeneriho.exe
2009-04-22 23:57:11 ----D---- C:\Program Files\Messenger
2009-04-20 21:56:09 ----D---- C:\WINDOWS\system32\Macromed
2009-04-20 18:07:22 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-09 21:57:02 ----D---- C:\WINDOWS\WinSxS
2009-04-09 21:50:19 ----D---- C:\WINDOWS\Debug
2009-04-06 18:05:22 ----D---- C:\WINDOWS\Help
2009-04-04 23:48:34 ----D---- C:\Documents and Settings\B's\Application Data\MSNInstaller

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 56fd6c48;56fd6c48; C:\WINDOWS\System32\drivers\56fd6c48.sys [2009-04-26 94204]
R1 aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\aavmker4.sys [2009-02-05 26944]
R1 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2007-12-10 66952]
R1 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2007-12-10 81288]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 KLIF;KLIF; C:\WINDOWS\System32\DRIVERS\klif.sys [2008-12-11 148496]
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]
R2 aswmon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswmon2.sys [2009-02-05 94032]
R2 mdvrmng;Mobile IP Route Manager; \??\C:\WINDOWS\system32\drivers\mdvrmng.sys []
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-08-11 1414656]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-08-11 4304384]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
S1 aswsp;avast! Self Protection; C:\WINDOWS\system32\drivers\aswsp.sys [2009-02-05 114768]
S1 aswtdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswtdi.sys [2009-02-05 51376]
S1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-02-16 353672]
S2 aswfsblk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S3 aswrdr;aswRdr; C:\WINDOWS\system32\drivers\aswrdr.sys [2009-02-05 23152]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 hqghum;hqghum; \??\C:\WINDOWS\system32\01.tmp []
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2008-03-17 101376]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\2.tmp []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SE27bus;Sony Ericsson Device 039 Driver driver (WDM); C:\WINDOWS\system32\DRIVERS\SE27bus.sys [2006-05-15 61600]
S3 SE27mdfl;Sony Ericsson Device 039 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys [2006-05-15 9360]
S3 SE27mdm;Sony Ericsson Device 039 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\SE27mdm.sys [2006-05-15 97184]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswupdsv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-08-11 393216]
R2 avast! antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 CSIScanner;CSIScanner; C:\Program Files\Prevx\prevx.exe [2009-04-27 4368440]
R2 msncache;msncache; C:\WINDOWS\system32\svchost.exe [2009-04-25 14336]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-02-01 747912]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-03-04 948616]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 avast! mail scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
S2 enzslziw;Remote Access Auto Connection Helper; C:\WINDOWS\System32\svchost.exe [2009-04-25 14336]
S2 Eventprov;Universal Task; C:\WINDOWS\system32\svchost.exe [2009-04-25 14336]
S2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
S3 avast! web scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------
I would greatly appreciate any help in trashing these bugs

GR@PH;<'S · « **Reply #1 on:** April 28, 2009, 08:51:00 PM »

crowman,
I recommend you do the following :
Download ATF Cleaner by Atribune . Save it to your Desktop.

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Shutdown/restart the computer.
after you have done that can you try at least two if not more of these On-line scans,
Removing any items that are found
Panda
TrendMicro
Bit Defender
Kaspersky
Symantec
McAfee
CyberTechHelp
PC Pitstop
Stinger
Also please use one or both of these Trojan scanners
a2
or download and try
TrojanHunter (Note Trojan Scanner 30 day Trial)
Once you have done that can you clear out your cache folder again ie: Run
CCleaner
(Note in CCleaner: go to >options > advanced > Uncheck "Only delete files in Windows Temp folders older than 48 hours").
Now can you scan for Spy/Malware Making sure that you do a FULL SCAN using Malwarebytes' Anti-Malware after running the program you can post the logfile here.
Also can you rescan using ~HiJackThis and post the new lof file here and one of the HJT Team will advise you.

GR@PH;<'S

crowman · « **Reply #2 on:** April 28, 2009, 11:45:16 PM »

Hi GR@PH;<,S. Thank you for your reply. The laptop will not allow access to the internet so no online scans...tried that.

Here are the logs

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

28/04/2009 23:51:45
mbam-log-2009-04-28 (23-51-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 81613
Time elapsed: 14 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:34:57, on 28/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -scan
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [warn default inter for] C:\Documents and Settings\All Users\Application Data\Time Dead Warn Default\that 32.exe
O4 - HKLM\..\Run: [VT100 Emulator] C:\WINDOWS\system32\VT100.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6016 bytes

They seem a bit short. What do you think?

crowman · « **Reply #3 on:** April 28, 2009, 11:55:28 PM »

GR@PH;<S one more thing i forgot to mention. The laptop will not allow internet access, so no online scanners. All programs to the laptop and data from the laptop can only be done via burning discs. I am on my desktop trying to sort this out. Hope this info helps.

Corrine · « **Reply #4 on:** April 29, 2009, 01:01:33 AM »

Hi, crowman. Welcome to Landzdown Forum!

I am sorry to inform you that your daughter's laptop is severely infected. In addition to a rootkit, it also has the virus generally referred to as Sality. Do you have the installation software for the laptop? If so, a clean wipe and install would be my strong recommendation.

crowman · « **Reply #5 on:** April 29, 2009, 01:19:40 AM »

Hi Corrine. Unfortunately my daughters laptop came as is. No Disc. Reading forums i've heard your "THE MAN" if you know what i mean, and i'm pleased to meet you, and glad your on the case. Does this mean its Terminal. If so i guess i will have to tell her to buy a new opereating system. I can install that, I was just hoping that (we) could DESTROY this piece of crap.

regards

pat

Corrine · « **Reply #6 on:** April 29, 2009, 01:30:53 AM »

Hi, Pat.

I honestly cannot guarantee that it can be cleaned. We can try but may find out that the driver is self-deleting itself at reboot and running from memory. It will be a big "if". It is up to you.

crowman · « **Reply #7 on:** April 29, 2009, 01:41:36 AM »

Hi Corrine.Thank you for your reply. Is it really that bad.
I've read your posts on other issues including crap like this. Can we fix this or is it terminal.
pat

crowman · « **Reply #8 on:** April 29, 2009, 01:48:53 AM »

Corrine. Lets will give it a try. What have we to lose ??? If it do'nt work, we learn something. What do you say ?

Corrine · « **Reply #9 on:** April 29, 2009, 02:11:53 AM »

Ok, Pat. We'll give it a try. If the results do not appear successful, have your daughter purchase new software.

As a warning to others: Please note that all instructions given are customized for this computer only, the tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log in the HJT forum and wait for help.

Please observe these rules while we work:

Please Read All Instructions Carefully
If there is something you do not understand, please stop and ask!
I suggest you subscribe to this topic so you will know when you have received a reply. (Click the "Notify" button at the top of the thread.)
Please do not run any other tools or scans while you are receiving help here.
Kindly continue to respond until we can hopefully give you "All Clear". (Just because you can't see a problem doesn't mean it isn't there.)
Note that in this particular situation, lengthy research may be involved and I may also want to consult with other members of the team. Your patience will bee appreciated.

Please Note, your security programs may give warnings for some of the tools you will be asked to use. Be assured, any links provided are safe

Until internet connectivity is restored to the laptop, please continue download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Please follow these instructions very carefully:

Download Combofix from any of the links below, and save it to your desktop. For information and instructions regarding this download, please follow the instructoins at this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. (This includes Spybot and AVG.)

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

Please post the "C:\ComboFix.txt" along with a fresh RSIT log for further review.

Note: Do not mouse click the combofix window while it is running. That may cause it to stall. Run ComboFix ONLY one time.

On that note, Pat, I am signing off for the evening and likely will not have an opportunity to fully analyze the situation until tomorrow evening.

crowman · « **Reply #10 on:** April 29, 2009, 04:56:36 AM »

Thanks for staying with this. Posting logs. If it's no good (well we tried )
ComboFix 09-04-27.05 - B's 29/04/2009 5:33.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.245 [GMT 1:00]
Running from: c:\documents and settings\B's\UserData\A2PVYNG7\My Documents\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090427-0] *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\mta64933.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 21:55 . 2009-04-28 21:55   --------   d-----w   c:\documents and settings\B's\Application Data\TrojanHunter
2009-04-28 21:33 . 2009-04-28 21:33   --------   d-----w   c:\program files\TrojanHunter 5.0
2009-04-28 16:02 . 2009-04-28 16:10   --------   d-----w   c:\documents and settings\B's\Local Settings\Application Data\Ahead
2009-04-28 15:55 . 2009-04-28 16:11   --------   d-----w   c:\documents and settings\B's\Application Data\Ahead
2009-04-28 15:54 . 2009-04-28 15:54   --------   d-----w   c:\documents and settings\All Users\Application Data\Ahead
2009-04-28 15:50 . 2009-04-28 15:50   --------   d-----w   c:\program files\Nero
2009-04-28 15:50 . 2009-04-28 15:50   --------   d-----w   c:\documents and settings\All Users\Application Data\Nero
2009-04-28 15:50 . 2009-04-28 15:54   --------   d-----w   c:\program files\Common Files\Ahead
2009-04-28 14:50 . 2009-04-29 04:05   --------   d-----w   C:\rsit
2009-04-27 23:41 . 2009-04-27 23:41   --------   d-----w   c:\documents and settings\B's\Application Data\WinPatrol
2009-04-27 23:41 . 2009-04-27 23:41   --------   d-----w   c:\program files\BillP Studios
2009-04-27 22:56 . 2009-04-27 22:56   --------   d-----w   c:\program files\Enigma Software Group
2009-04-27 20:54 . 2009-04-27 20:54   --------   d-----w   c:\program files\Sophos
2009-04-26 01:47 . 2009-04-26 01:47   --------   d-----w   c:\documents and settings\B's\Application Data\Malwarebytes
2009-04-26 01:47 . 2009-04-06 14:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-04-26 01:47 . 2009-04-06 14:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-26 01:47 . 2009-04-26 01:47   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-26 01:47 . 2009-04-26 02:00   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-04-25 18:08 . 2009-04-25 18:08   --------   d-----w   c:\program files\Trend Micro
2009-04-25 15:14 . 2009-04-29 02:50   --------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 15:13 . 2007-12-10 13:53   29576   ----a-w   c:\windows\system32\drivers\kcom.sys
2009-04-25 15:13 . 2008-02-01 11:55   42376   ----a-w   c:\windows\system32\drivers\ikfilesec.sys
2009-04-25 15:13 . 2007-12-10 13:53   81288   ----a-w   c:\windows\system32\drivers\iksyssec.sys
2009-04-25 15:13 . 2007-12-10 13:53   66952   ----a-w   c:\windows\system32\drivers\iksysflt.sys
2009-04-25 15:12 . 2009-04-25 15:12   --------   d-----w   c:\documents and settings\B's\Application Data\PC Tools
2009-04-25 15:12 . 2009-04-25 15:15   --------   d-----w   c:\program files\Spyware Doctor
2009-04-22 21:29 . 2009-04-22 22:14   --------   d-----w   c:\documents and settings\All Users\Application Data\Time Dead Warn Default
2009-04-17 12:11 . 2009-04-22 21:41   --------   d--h--w   c:\windows\msdownld.tmp
2009-04-09 21:08 . 2009-04-22 16:41   --------   d-----w   c:\documents and settings\B's\Application Data\MailFrontier
2009-04-09 21:06 . 2009-04-29 04:35   42018848   --sha-w   c:\windows\system32\drivers\fidbox.dat
2009-04-09 21:03 . 2009-04-26 00:15   4212   ---ha-w   c:\windows\system32\zllictbl.dat
2009-04-09 21:03 . 2009-02-15 23:10   72584   ----a-w   c:\windows\zllsputility.exe
2009-04-09 21:02 . 2009-02-15 23:10   1221512   ----a-w   c:\windows\system32\zpeng25.dll
2009-04-09 21:02 . 2009-04-24 15:46   --------   d-----w   c:\windows\system32\ZoneLabs
2009-04-09 20:59 . 2009-04-09 20:59   --------   d-----w   c:\program files\Zone Labs
2009-04-09 20:56 . 2009-04-28 23:39   --------   d-----w   c:\windows\Internet Logs
2009-04-09 20:01 . 2009-04-09 20:01   --------   d-----w   c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 04:35 . 2009-04-09 21:06   553736   --sha-w   c:\windows\system32\drivers\fidbox.idx
2009-04-28 22:27 . 2009-04-28 22:27   1499966   ----a-w   c:\windows\Internet Logs\tvDebug.Zip
2009-04-27 19:27 . 2004-08-04 01:07   2180992   ---ha-w   c:\windows\system32\ntoskrnl.exe
2009-04-25 23:38 . 2009-04-25 18:38   94204   ----a-w   c:\windows\system32\drivers\56fd6c48.sys
2009-04-25 23:37 . 2009-04-25 23:37   --------   d-----w   c:\program files\Alwil Software
2009-04-25 22:51 . 2009-03-15 14:25   --------   d-----w   c:\program files\Google
2009-04-25 18:48 . 2009-04-25 18:58   8192   ----a-w   c:\windows\Internet Logs\xDB1.tmp
2009-04-25 18:48 . 2009-04-25 18:58   1668608   ----a-w   c:\windows\Internet Logs\xDB2.tmp
2009-04-25 18:48 . 2009-04-25 18:48   1669120   ----a-w   c:\windows\Internet Logs\xDB4E.tmp
2009-04-25 18:48 . 2009-04-25 18:48   13312   ----a-w   c:\windows\Internet Logs\xDB4D.tmp
2009-04-25 18:48 . 2009-04-25 18:48   8192   ----a-w   c:\windows\Internet Logs\xDB4B.tmp
2009-04-25 18:48 . 2009-04-25 18:48   1668608   ----a-w   c:\windows\Internet Logs\xDB4C.tmp
2009-04-25 18:47 . 2009-04-25 18:48   1670144   ----a-w   c:\windows\Internet Logs\xDB4A.tmp
2009-04-25 18:47 . 2009-04-25 18:48   13312   ----a-w   c:\windows\Internet Logs\xDB49.tmp
2009-04-25 18:47 . 2009-04-25 18:47   1669120   ----a-w   c:\windows\Internet Logs\xDB48.tmp
2009-04-25 18:47 . 2009-04-25 18:47   13312   ----a-w   c:\windows\Internet Logs\xDB47.tmp
2009-04-25 18:47 . 2009-04-25 18:47   1669120   ----a-w   c:\windows\Internet Logs\xDB46.tmp
2009-04-25 18:47 . 2009-04-25 18:47   15872   ----a-w   c:\windows\Internet Logs\xDB45.tmp
2009-04-25 18:47 . 2009-04-25 18:47   8192   ----a-w   c:\windows\Internet Logs\xDB43.tmp
2009-04-25 18:47 . 2009-04-25 18:47   1668608   ----a-w   c:\windows\Internet Logs\xDB44.tmp
2009-04-25 18:44 . 2009-04-25 18:47   8192   ----a-w   c:\windows\Internet Logs\xDB41.tmp
2009-04-25 18:44 . 2009-04-25 18:47   1668608   ----a-w   c:\windows\Internet Logs\xDB42.tmp
2009-04-25 18:44 . 2009-04-25 18:44   1668608   ----a-w   c:\windows\Internet Logs\xDB40.tmp
2009-04-25 18:44 . 2009-04-25 18:44   8192   ----a-w   c:\windows\Internet Logs\xDB3F.tmp
2009-04-25 18:44 . 2009-04-25 18:44   1669120   ----a-w   c:\windows\Internet Logs\xDB3E.tmp
2009-04-25 18:44 . 2009-04-25 18:44   14848   ----a-w   c:\windows\Internet Logs\xDB3D.tmp
2009-04-25 18:44 . 2009-04-25 18:44   8192   ----a-w   c:\windows\Internet Logs\xDB3B.tmp
2009-04-25 18:44 . 2009-04-25 18:44   1668608   ----a-w   c:\windows\Internet Logs\xDB3C.tmp
2009-04-25 18:43 . 2009-04-25 18:44   1669120   ----a-w   c:\windows\Internet Logs\xDB3A.tmp
2009-04-25 18:43 . 2009-04-25 18:44   13312   ----a-w   c:\windows\Internet Logs\xDB39.tmp
2009-04-25 18:40 . 2009-04-25 18:43   1669120   ----a-w   c:\windows\Internet Logs\xDB38.tmp
2009-04-25 18:40 . 2009-04-25 18:43   13312   ----a-w   c:\windows\Internet Logs\xDB37.tmp
2009-04-25 18:40 . 2009-04-25 18:40   8192   ----a-w   c:\windows\Internet Logs\xDB35.tmp
2009-04-25 18:40 . 2009-04-25 18:40   1668608   ----a-w   c:\windows\Internet Logs\xDB36.tmp
2009-04-25 18:40 . 2009-04-25 18:40   1669120   ----a-w   c:\windows\Internet Logs\xDB34.tmp
2009-04-25 18:40 . 2009-04-25 18:40   13312   ----a-w   c:\windows\Internet Logs\xDB33.tmp
2009-04-25 18:39 . 2009-04-25 18:40   8192   ----a-w   c:\windows\Internet Logs\xDB31.tmp
2009-04-25 18:39 . 2009-04-25 18:40   1668608   ----a-w   c:\windows\Internet Logs\xDB32.tmp
2009-04-25 18:39 . 2009-04-25 18:39   1668608   ----a-w   c:\windows\Internet Logs\xDB30.tmp
2009-04-25 18:39 . 2009-04-25 18:39   8192   ----a-w   c:\windows\Internet Logs\xDB2F.tmp
2009-04-25 18:39 . 2009-04-25 18:39   8192   ----a-w   c:\windows\Internet Logs\xDB2D.tmp
2009-04-25 18:39 . 2009-04-25 18:39   1668608   ----a-w   c:\windows\Internet Logs\xDB2E.tmp
2009-04-25 18:39 . 2009-04-25 18:39   1698304   ----a-w   c:\windows\Internet Logs\xDB2C.tmp
2009-04-25 18:39 . 2009-04-25 18:39   3208704   ----a-w   c:\windows\Internet Logs\xDB2B.tmp
2009-04-25 18:39 . 2009-04-25 18:39   132608   ------w   c:\windows\system32\VT100.EXE
2009-04-25 18:38 . 2004-08-04 01:07   14336   ----a-w   c:\windows\system32\svchost.exe
2009-04-25 18:38 . 2009-01-25 18:38   74240   --sha-w   c:\windows\system32\norupeze.exe
2009-04-25 13:29 . 2008-08-11 14:21   --------   d--h--w   c:\program files\InstallShield Installation Information
2009-04-24 15:49 . 2009-01-24 15:49   75264   --sha-w   c:\windows\system32\yeneriho.exe
2009-03-15 10:41 . 2009-03-15 10:40   --------   d-----w   c:\program files\FinePixViewer
2009-03-15 10:40 . 2009-03-15 10:40   --------   d-----w   c:\program files\REGSHAVE
2009-03-14 14:28 . 2009-01-27 19:24   --------   d-----w   c:\program files\Huawei Modems
2009-03-14 14:28 . 2009-01-27 19:24   76118   ----a-w   c:\windows\Huawei ModemsUninstall.exe
2009-03-14 14:28 . 2009-03-14 14:28   --------   d-----w   c:\program files\3
.

------- Sigcheck -------

[-] 2004-08-04 01:07   35840   8F6E87027074CD8BACB89A465D1E8BD4   c:\windows\system32\ctfmon.exe
[7] 2004-08-04 01:07   15360   24232996A38C0B0CF151C2140AE29FC8   c:\windows\system32\dllcache\ctfmon.exe

[-] 2004-08-04 01:07   131584   4F11CD12E8B02BC0F9501806F37C5192   c:\windows\system32\wuauclt.exe
[-] 2004-08-04 01:07   131584   4D37FBF9168AD2AABEA8E3C7E72FB9A5   c:\windows\system32\dllcache\wuauclt.exe

[-] 2004-08-04 01:07   45056   F508D42ADBF5B83C9A8A7D62DC3B05F4   c:\windows\system32\userinit.exe
[-] 2004-08-04 01:07   45056   B07707D397B919F60763A5AEAC7582FA   c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-28_17.34.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 04:37 . 2009-04-29 04:37   16384 c:\windows\Temp\Perflib_Perfdata_2b4.dat
+ 2009-04-29 04:12 . 2009-04-29 04:12   16384 c:\windows\Temp\Perflib_Perfdata_2b0.dat
+ 2009-04-28 21:33 . 2009-04-28 21:33   59392 c:\windows\system32\streamhlp.dll
+ 2009-04-29 04:37 . 2004-08-04 01:07   601088 c:\windows\Temp\mta99467.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 35840]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1688064]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-04-28 396288]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 364544]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 323584]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 73728]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-04-02 868352]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]
"warn default inter for"="c:\documents and settings\All Users\Application Data\Time Dead Warn Default\that 32.exe" [2009-04-25 739328]
"VT100 Emulator"="c:\windows\system32\VT100.EXE" [2009-04-25 132608]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2009-04-13 1061536]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2008-08-11 2903040]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-08-11 16269824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 35840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-3-14 690736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\ThunMail\testabd.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\VT100.EXE"=

R1 aswsp;avast! Self Protection;

R2 aswfsblk;aswfsblk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 Eventprov;Universal Task;c:\windows\system32\svchost.exe [2009-04-25 14336]
R3 hqghum;hqghum;

R3 MEMSWEEP2;MEMSWEEP2;

R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-02-01 747912]
S1 56fd6c48;56fd6c48;c:\windows\System32\drivers\56fd6c48.sys [2009-04-25 94204]
S2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [2007-05-28 10240]
S2 msncache;msncache;c:\windows\system32\svchost.exe [2009-04-25 14336]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
msncache
Eventprov

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5eb04089-67ae-11dd-bf80-001b240f2a51}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa3351c6-eca7-11dd-bfa4-001b240f2a51}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa3351c8-eca7-11dd-bfa4-001b240f2a51}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\B's\Application Data\Mozilla\Firefox\Profiles\p8fzlohm.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 05:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(276)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3048)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-29 5:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 04:40
ComboFix2.txt 2009-04-29 04:14
ComboFix3.txt 2009-04-29 04:02
ComboFix4.txt 2009-04-29 03:17

Pre-Run: 72,622,743,552 bytes free
Post-Run: 72,613,892,096 bytes free

226
Logfile of random's system information tool 1.06 (written by random/random)
Run by B's at 2009-04-29 05:20:39
Microsoft Windows XP Professional Service Pack 2
System drive C: has 69 GB (93%) free of 75 GB
Total RAM: 894 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:20:40, on 29/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\B's\UserData\A2PVYNG7\My Documents\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\B's.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -scan
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [warn default inter for] C:\Documents and Settings\All Users\Application Data\Time Dead Warn Default\that 32.exe
O4 - HKLM\..\Run: [VT100 Emulator] C:\WINDOWS\system32\VT100.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5349 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2008-08-11 2903040]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-08-11 16269824]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-12-11 364544]
"Media Codec Update Service"=C:\Program Files\Essentials Codec Pack\update.exe [2007-04-08 323584]
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE [2002-02-04 73728]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-02-16 981384]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"SpyHunter Security Suite"=C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2009-04-02 868352]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2009-04-20 337216]
"warn default inter for"=C:\Documents and Settings\All Users\Application Data\Time Dead Warn Default\that 32.exe [2009-04-25 739328]
"VT100 Emulator"=C:\WINDOWS\system32\VT100.EXE [2009-04-25 132608]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
"THGuard"=C:\Program Files\TrojanHunter 5.0\THGuard.exe [2009-04-13 1061536]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 35840]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1688064]
"HijackThis startup scan"=C:\Program Files\Trend Micro\HijackThis\HijackThis.exe [2009-04-28 396288]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Update Agent.lnk - C:\Program Files\3\3Connect\AutoUpdateSrv.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="c:\progra~1\ThunMail\testabd.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-08-11 47104]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\VT100.EXE"="C:\WINDOWS\system32\VT100.EXE:*:Enabled:VT100 Emulator"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5eb04089-67ae-11dd-bf80-001b240f2a51}]
shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa3351c6-eca7-11dd-bfa4-001b240f2a51}]
shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa3351c8-eca7-11dd-bfa4-001b240f2a51}]
shell\AutoRun\command - F:\AutoRun.exe

======File associations======

.ini - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.txt - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2009-04-29 05:15:52 ----SHD---- C:\RECYCLER
2009-04-29 05:14:29 ----A---- C:\ComboFix.txt
2009-04-29 05:07:59 ----D---- C:\ComboFix
2009-04-28 22:55:37 ----D---- C:\Documents and Settings\B's\Application Data\TrojanHunter
2009-04-28 22:33:05 ----R---- C:\WINDOWS\system32\streamhlp.dll
2009-04-28 22:33:04 ----D---- C:\Program Files\TrojanHunter 5.0
2009-04-28 18:23:33 ----A---- C:\WINDOWS\zip.exe
2009-04-28 18:23:33 ----A---- C:\WINDOWS\vFind.exe
2009-04-28 18:23:33 ----A---- C:\WINDOWS\SWREG.exe
2009-04-28 18:23:33 ----A---- C:\WINDOWS\sed.exe
2009-04-28 18:23:33 ----A---- C:\WINDOWS\NIRCMD.exe
2009-04-28 18:23:33 ----A---- C:\WINDOWS\grep.exe
2009-04-28 18:23:32 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-04-28 18:23:32 ----A---- C:\WINDOWS\SWSC.exe
2009-04-28 18:23:23 ----D---- C:\WINDOWS\ERDNT
2009-04-28 18:22:44 ----D---- C:\Qoobox
2009-04-28 16:55:26 ----D---- C:\Documents and Settings\B's\Application Data\Ahead
2009-04-28 16:54:51 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
2009-04-28 16:50:30 ----D---- C:\Program Files\Nero
2009-04-28 16:50:30 ----D---- C:\Program Files\Common Files\Ahead
2009-04-28 16:50:30 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
2009-04-28 16:49:32 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2009-04-28 16:49:30 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2009-04-28 15:50:36 ----D---- C:\rsit
2009-04-28 00:41:59 ----D---- C:\Documents and Settings\B's\Application Data\WinPatrol
2009-04-28 00:41:50 ----D---- C:\Program Files\BillP Studios
2009-04-27 23:56:04 ----D---- C:\Program Files\Enigma Software Group
2009-04-27 23:50:17 ----A---- C:\WINDOWS\wininit.ini
2009-04-27 21:54:42 ----D---- C:\Program Files\Sophos
2009-04-26 19:14:40 ----D---- C:\WINDOWS\system32\appmgmt
2009-04-26 02:47:33 ----D---- C:\Documents and Settings\B's\Application Data\Malwarebytes
2009-04-26 02:47:26 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-26 02:47:26 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-26 00:37:45 ----A---- C:\WINDOWS\system32\MSVCP71.dll
2009-04-26 00:37:45 ----A---- C:\WINDOWS\system32\MFC71.dll
2009-04-26 00:37:45 ----A---- C:\WINDOWS\system32\aswBoot.exe
2009-04-26 00:37:43 ----D---- C:\Program Files\Alwil Software
2009-04-25 19:39:18 ----N---- C:\WINDOWS\system32\VT100.EXE
2009-04-25 19:08:13 ----D---- C:\Program Files\Trend Micro
2009-04-25 16:14:25 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-04-25 16:12:53 ----D---- C:\Program Files\Spyware Doctor
2009-04-25 16:12:53 ----D---- C:\Documents and Settings\B's\Application Data\PC Tools
2009-04-25 13:35:33 ----D---- C:\WINDOWS\pss
2009-04-22 22:29:08 ----D---- C:\Documents and Settings\All Users\Application Data\Time Dead Warn Default
2009-04-17 13:11:55 ----HD---- C:\WINDOWS\msdownld.tmp
2009-04-09 22:08:06 ----D---- C:\Documents and Settings\B's\Application Data\MailFrontier
2009-04-09 22:03:31 ----A---- C:\WINDOWS\zllsputility.exe
2009-04-09 22:03:11 ----A---- C:\WINDOWS\system32\vsregexp.dll
2009-04-09 22:02:58 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2009-04-09 22:02:58 ----A---- C:\WINDOWS\system32\zlcomm.dll
2009-04-09 22:02:51 ----A---- C:\WINDOWS\system32\vswmi.dll
2009-04-09 22:02:49 ----A---- C:\WINDOWS\system32\zpeng25.dll
2009-04-09 22:02:49 ----A---- C:\WINDOWS\system32\vsxml.dll
2009-04-09 22:02:48 ----D---- C:\WINDOWS\system32\ZoneLabs
2009-04-09 22:02:48 ----A---- C:\WINDOWS\system32\vspubapi.dll
2009-04-09 22:02:48 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2009-04-09 22:01:54 ----A---- C:\WINDOWS\system32\vsutil.dll
2009-04-09 22:01:54 ----A---- C:\WINDOWS\system32\vsinit.dll
2009-04-09 22:01:54 ----A---- C:\WINDOWS\system32\vsdata.dll
2009-04-09 21:59:40 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-04-09 21:59:36 ----HDC---- C:\WINDOWS\$NtUninstallKB943232$
2009-04-09 21:59:22 ----D---- C:\Program Files\Zone Labs
2009-04-09 21:56:59 ----D---- C:\WINDOWS\Internet Logs
2009-04-09 21:01:39 ----D---- C:\Program Files\CCleaner

======List of files/folders modified in the last 1 months======

2009-04-29 05:14:32 ----D---- C:\WINDOWS\system32\drivers
2009-04-29 05:14:32 ----D---- C:\WINDOWS\system32
2009-04-29 05:14:31 ----D---- C:\WINDOWS\Temp
2009-04-29 05:14:31 ----D---- C:\WINDOWS
2009-04-29 05:13:34 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-29 05:12:52 ----A---- C:\WINDOWS\system.ini
2009-04-29 05:09:20 ----D---- C:\WINDOWS\AppPatch
2009-04-29 05:09:17 ----D---- C:\Program Files\Common Files
2009-04-29 05:08:10 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-29 05:07:59 ----D---- C:\WINDOWS\Prefetch
2009-04-29 04:10:22 ----RD---- C:\Program Files
2009-04-28 18:31:33 ----D---- C:\WINDOWS\system32\config
2009-04-28 16:59:47 ----SHD---- C:\WINDOWS\Installer
2009-04-28 16:59:47 ----D---- C:\WINDOWS\WinSxS
2009-04-28 16:49:33 ----D---- C:\WINDOWS\system32\DirectX
2009-04-28 16:49:32 ----HD---- C:\WINDOWS\inf
2009-04-28 16:28:51 ----D---- C:\Documents and Settings\B's\Application Data\uTorrent
2009-04-28 15:35:23 ----D---- C:\Program Files\Mozilla Firefox
2009-04-27 21:03:05 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-27 20:28:46 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-04-27 20:27:51 ----AH---- C:\WINDOWS\system32\ntoskrnl.exe
2009-04-26 04:01:16 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
2009-04-25 23:51:32 ----D---- C:\Program Files\Google
2009-04-25 23:51:32 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-04-25 23:40:11 ----D---- C:\WINDOWS\SoftwareDistribution
2009-04-25 23:39:36 ----SD---- C:\WINDOWS\Tasks
2009-04-25 22:34:09 ----SHD---- C:\System Volume Information
2009-04-25 22:34:09 ----D---- C:\WINDOWS\system32\Restore
2009-04-25 19:38:32 ----A---- C:\WINDOWS\system32\svchost.exe
2009-04-25 19:38:22 ----ASH---- C:\WINDOWS\system32\norupeze.exe
2009-04-25 16:14:13 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-25 15:54:59 ----SH---- C:\boot.ini
2009-04-25 15:54:59 ----A---- C:\WINDOWS\win.ini
2009-04-25 14:29:14 ----HD---- C:\Program Files\InstallShield Installation Information
2009-04-24 16:49:40 ----ASH---- C:\WINDOWS\system32\yeneriho.exe
2009-04-22 23:57:11 ----D---- C:\Program Files\Messenger
2009-04-20 21:56:09 ----D---- C:\WINDOWS\system32\Macromed
2009-04-20 18:07:22 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-09 21:50:19 ----D---- C:\WINDOWS\Debug
2009-04-06 18:05:22 ----D---- C:\WINDOWS\Help
2009-04-04 23:48:34 ----D---- C:\Documents and Settings\B's\Application Data\MSNInstaller

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 56fd6c48;56fd6c48; C:\WINDOWS\System32\drivers\56fd6c48.sys [2009-04-26 94204]
R1 aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\aavmker4.sys [2009-02-05 26944]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 KLIF;KLIF; C:\WINDOWS\System32\DRIVERS\klif.sys [2008-12-11 148496]
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]
R2 aswmon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswmon2.sys [2009-02-05 94032]
R2 mdvrmng;Mobile IP Route Manager; \??\C:\WINDOWS\system32\drivers\mdvrmng.sys []
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-08-11 1414656]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-08-11 4304384]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
S1 aswsp;avast! Self Protection; C:\WINDOWS\system32\drivers\aswsp.sys [2009-02-05 114768]
S1 aswtdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswtdi.sys [2009-02-05 51376]
S1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-02-16 353672]
S2 aswfsblk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S3 aswrdr;aswRdr; C:\WINDOWS\system32\drivers\aswrdr.sys [2009-02-05 23152]
S3 catchme;catchme; \??\C:\DOCUME~1\B's\LOCALS~1\Temp\catchme.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 hqghum;hqghum; \??\C:\WINDOWS\system32\01.tmp []
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2008-03-17 101376]
S3 IKFileSec;File Security Driver; C:\WINDOWS\system32\drivers\ikfilesec.sys [2008-02-01 42376]
S3 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2007-12-10 66952]
S3 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2007-12-10 81288]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\2.tmp []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SE27bus;Sony Ericsson Device 039 Driver driver (WDM); C:\WINDOWS\system32\DRIVERS\SE27bus.sys [2006-05-15 61600]
S3 SE27mdfl;Sony Ericsson Device 039 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys [2006-05-15 9360]
S3 SE27mdm;Sony Ericsson Device 039 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\SE27mdm.sys [2006-05-15 97184]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswupdsv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-08-11 393216]
R2 avast! antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 msncache;msncache; C:\WINDOWS\system32\svchost.exe [2009-04-25 14336]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]
S2 Eventprov;Universal Task; C:\WINDOWS\system32\svchost.exe [2009-04-25 14336]
S2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
S3 avast! mail scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
S3 avast! web scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-09-17 800040]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-02-01 747912]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-03-04 948616]

-----------------EOF-----------------

Corrine · « **Reply #11 on:** April 29, 2009, 11:40:26 AM »

Pat,

I need to see what is happening. Please don't keep running ComboFix or any other tools unless requested. Now that you have run ComboFix so many times, the log from the first run is no longer available for me to see what CF found.

Corrine · « **Reply #12 on:** April 30, 2009, 01:00:45 AM »

Hi, Pat.

I am sorry, but the news is not good. When I first started looking at the log this evening, I thought there was a possibility until I saw additional evidence of a rootkit then the worst news. Just to be certain I wasn't over-reacting, I consulted another member of the security community. He confirmed my decision.

Your daughter's laptop is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if there is an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup any documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

See miekiemoes' blog for similar comments here: http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Paddy · « **Reply #13 on:** May 01, 2009, 12:15:08 AM »

It’s sad you’ve not been able to have been sorted here with Corrine’s help , its not that often I’ve seen it .. Unable to help ..
But please be aware the sort of virus you had on that computer ( virut ) is and usually comes with, p2p programs > keygens > cracks .

I can see signs of which in its self is p2p. Though you might have inherited it seeing as it’s a Second Hand Laptop.
C:\Documents and Settings\B's\Desktop\utorrent.exe"="C:\Documents and Settings\B's\Desktop\utorrent.exe:*:Enabled:µTorrent"

Paddy..

crowman · « **Reply #14 on:** May 01, 2009, 06:54:29 PM »

H Corrine. Hi Paddy.

I sincerely thank you for your help. So a clean install is my next task. I suspected P2P myself. I was obviously wasting my breath over the years, teaching her about email attachments, exe.files, dodgy add ons, etc.

I was fortunate to find you after finding a referral to you, on a similar topic on Gardenweb. I can only hope she has learnt something from this. I certainly have.

Once again,thanks for your time & assistance.

Pat

LandzDown Forum

News:

Author Topic: Nasty Virus (Read 4245 times)

crowman

Nasty Virus

GR@PH;<'S

Re: Nasty Virus

crowman

Re: Nasty Virus

crowman

Re: Nasty Virus

Corrine

Re: Nasty Virus

crowman

Re: Nasty Virus

Corrine

Re: Nasty Virus

crowman

Re: Nasty Virus

crowman

Re: Nasty Virus

Corrine

Re: Nasty Virus

crowman

Re: Nasty Virus

Corrine

Re: Nasty Virus

Corrine

Re: Nasty Virus

Paddy

Re: Nasty Virus

crowman

Re: Nasty Virus