[Resolved] Help with removal of Trojan Horse Dropper.VB.4.J

emi_nori · #1 (**permalink**) 12-07-2009, 06:20 PM

Hi,

I was wondering if any one would help me with removing Trojan Horse Dropper.VB.4.J found by AVG. I recently reformatted and reinstalled my computer and have no idea how it got there. I would be grateful for any help!

Thank you
Emi

broni · #2 (**permalink**) 12-07-2009, 07:33 PM

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.14972 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4. Download HijackThis:
TrendSecure | Download TrendMicro HijackThis
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackThis log.
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

emi_nori · #3 (**permalink**) 13-07-2009, 02:11 PM

Hi, I tried to scan my computer with malwarebytes anti-malware but it keeps crashing it. Is there any other program I can use or shall I just post you the other logs I have?

Thanks
Emi

broni · #4 (**permalink**) 13-07-2009, 04:18 PM

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

emi_nori · #5 (**permalink**) 13-07-2009, 05:55 PM

Hi these are my scans

Super antispyware

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 07/13/2009 at 00:57 AM

Application Version : 4.26.1006

Core Rules Database Version : 3988
Trace Rules Database Version: 1928

Scan type : Complete Scan
Total Scan Time : 02:30:52

Memory items scanned : 205
Memory threats detected : 0
Registry items scanned : 4975
Registry threats detected : 0
File items scanned : 54318
File threats detected : 0

Combo fix

ComboFix 09-07-12.03 - HP_Administrator 13/07/2009 17:39.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.511.192 [GMT 1:00]
Running from: c:\documents and settings\HP_Administrator\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Ati2evxx.dll
c:\windows\system32\Data
c:\windows\system32\Data\CTP0359W.DAT
D:\Autorun.inf
K:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-07-13 11:22 . 2009-07-13 11:22 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-07-13 11:22 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 11:22 . 2009-07-13 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-13 11:22 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 11:22 . 2009-07-13 11:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 11:19 . 2009-07-12 17:02 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-13 11:18 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-13 11:18 . 2008-10-16 13:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-07-12 21:20 . 2009-07-12 21:24 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-07-12 21:20 . 2009-07-12 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-12 21:19 . 2009-07-12 21:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-12 21:19 . 2009-07-12 21:19 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-07-12 21:19 . 2009-07-12 21:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-12 21:07 . 2004-08-03 22:01 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-07-12 21:07 . 2004-08-03 22:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-07-12 21:06 . 2004-08-03 21:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-07-12 21:06 . 2004-08-03 21:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-07-12 20:30 . 2009-07-13 16:46 -------- d-----w- c:\documents and settings\HP_Administrator\Tracing
2009-07-12 20:27 . 2009-07-12 20:27 -------- d-----w- c:\program files\Microsoft
2009-07-12 20:26 . 2009-07-12 20:26 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-12 20:26 . 2009-07-12 20:27 -------- d-----w- c:\program files\Windows Live
2009-07-12 20:23 . 2009-07-12 20:23 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-12 19:50 . 2009-07-12 19:50 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sonic
2009-07-12 19:49 . 2009-07-12 19:49 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Leadertech
2009-07-12 17:09 . 2009-07-13 16:06 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-12 17:08 . 2009-07-12 17:08 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-07-12 17:02 . 2009-07-12 17:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-12 17:02 . 2009-07-12 17:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-12 17:02 . 2009-07-12 17:02 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-12 17:02 . 2009-07-12 17:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-12 17:02 . 2009-07-13 11:20 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-12 17:02 . 2009-07-12 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-12 17:02 . 2009-07-12 17:02 -------- d-----w- c:\program files\AVG
2009-07-12 17:02 . 2009-07-12 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-12 16:30 . 2009-07-12 16:30 -------- d-----w- c:\windows\Sun
2009-07-12 13:24 . 2009-07-12 13:24 -------- d-----w- c:\program files\MSXML 4.0
2009-07-12 13:19 . 2009-07-13 11:46 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-07-12 13:16 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-12 13:16 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-07-12 13:16 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-12 13:15 . 2009-02-06 17:22 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-12 13:15 . 2009-02-06 17:24 2180480 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-12 13:15 . 2009-02-06 16:49 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-12 13:15 . 2009-02-06 16:49 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-12 13:06 . 2008-07-09 07:38 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-07-12 13:06 . 2009-07-13 11:46 -------- d--h--w- c:\windows\$hf_mig$
2009-07-11 23:41 . 2009-07-11 23:42 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Media Player Classic
2009-07-11 22:08 . 2009-07-11 22:08 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\COMODO
2009-07-11 21:47 . 2009-07-11 21:47 0 ----a-w- c:\windows\nsreg.dat
2009-07-11 21:47 . 2009-07-11 21:47 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Mozilla
2009-07-11 21:47 . 2009-07-11 21:47 -------- d-----w- c:\program files\uTorrent
2009-07-11 21:46 . 2009-07-13 16:46 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-07-11 21:46 . 2009-07-11 21:46 -------- d-----w- c:\windows\system32\LogFiles
2009-07-11 21:46 . 2009-07-11 21:46 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-07-11 20:50 . 2009-07-12 20:29 18392 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-11 20:41 . 2004-08-03 17:48 159744 ----a-w- c:\windows\system32\igfxres.dll
2009-07-11 20:38 . 2009-03-19 15:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-11 20:38 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-07-11 20:38 . 2009-07-11 20:38 -------- d-----w- c:\program files\iPod
2009-07-11 20:38 . 2009-07-11 20:38 -------- d-----w- c:\program files\iTunes
2009-07-11 19:36 . 2009-07-11 19:37 -------- d-----w- c:\windows\I386
2009-07-11 19:31 . 2009-07-13 11:22 -------- d-----r- C:\Program Files
2009-07-11 19:31 . 2009-07-12 20:26 -------- d-----r- c:\documents and settings\All Users\Documents
2009-07-11 19:29 . 2009-07-12 21:07 -------- dcsh--r- c:\windows\system32\dllcache
2009-07-11 19:06 . 2004-08-10 04:00 1744 -c--a-w- c:\windows\system32\dllcache\sound.drv
2009-07-11 19:05 . 2008-06-12 14:16 91648 -c--a-w- c:\windows\system32\dllcache\mtxoci.dll
2009-07-11 19:04 . 2009-03-21 14:18 986112 -c--a-w- c:\windows\system32\dllcache\kernel32.dll
2009-07-11 19:03 . 2004-08-10 04:00 57344 -c--a-w- c:\windows\system32\dllcache\dpwsockx.dll
2009-07-11 18:59 . 2004-08-10 04:00 84992 -c--a-w- c:\windows\system32\dllcache\avifil32.dll
2009-07-11 18:58 . 2004-08-10 04:00 331264 -c--a-w- c:\windows\system32\dllcache\aqueue.dll
2009-07-11 13:22 . 2009-07-11 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-11 13:22 . 2009-07-11 13:22 -------- d-----w- c:\program files\Bonjour
2009-07-11 13:21 . 2009-07-11 20:37 -------- d-----w- c:\program files\QuickTime
2009-07-11 13:20 . 2009-07-11 20:38 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-11 13:20 . 2009-06-05 10:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-11 13:20 . 2009-06-05 10:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-11 13:20 . 2009-07-11 20:38 -------- d-----w- c:\program files\Common Files\Apple
2009-07-11 13:01 . 2009-07-13 16:44 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000003-00000000-00000004-00001102-00000004-20051102}.dat
2009-07-11 13:01 . 2009-07-13 16:44 384 ----a-w- c:\windows\system32\DVCState-{00000003-00000000-00000004-00001102-00000004-20051102}.dat
2009-07-11 13:01 . 2004-10-05 04:04 -------- d-----w- c:\windows\system32\config\systemprofile\Applicati on Data\SampleView
2009-07-11 13:01 . 2004-10-05 03:22 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2009-07-11 13:01 . 2004-10-05 03:22 -------- d-----w- c:\windows\system32\config\systemprofile\Applicati on Data\Apple Computer
2009-07-11 13:01 . 2002-01-01 07:28 -------- d-----w- c:\windows\system32\config\systemprofile\Applicati on Data\Symantec
2009-07-11 13:01 . 2003-09-19 00:47 10368 ------w- c:\windows\system32\drivers\pfc.sys
2009-07-11 13:01 . 2003-09-10 22:36 21060 ------w- c:\windows\system32\drivers\iviaspi.sys
2009-07-11 13:00 . 2009-07-11 13:00 -------- d-----w- c:\program files\Common Files\InterVideo
2009-07-11 13:00 . 2004-08-11 11:01 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll
2009-07-11 13:00 . 2004-08-11 11:01 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll
2009-07-11 13:00 . 2004-08-11 11:01 188416 ----a-w- c:\windows\system32\IVIresizePX.dll
2009-07-11 13:00 . 2004-08-11 11:01 20480 ----a-w- c:\windows\system32\IVIresize.dll
2009-07-11 13:00 . 2004-08-11 11:01 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll
2009-07-11 13:00 . 2004-08-11 11:01 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll
2009-07-11 13:00 . 2009-07-11 13:00 -------- d-----w- c:\program files\InterVideo
2009-07-11 12:57 . 2009-07-11 12:57 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Apple
2009-07-11 12:57 . 2009-07-11 12:57 -------- d-----w- c:\program files\Apple Software Update
2009-07-11 12:57 . 2009-07-11 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-11 12:57 . 2009-07-11 12:57 -------- d-----w- c:\windows\system32\Win9X
2009-07-11 12:57 . 2009-07-11 13:20 -------- d-----w- c:\program files\Creative
2009-07-11 12:57 . 2009-07-11 12:57 -------- d-----w- c:\program files\ATI Technologies
2009-07-11 12:56 . 2004-05-01 00:37 172032 ----a-w- c:\windows\system32\NVUninst.exe
2009-07-11 12:55 . 2009-07-12 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-07-11 12:55 . 2009-07-12 13:22 86976 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-07-11 12:55 . 2009-07-12 13:22 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-07-11 12:55 . 2009-07-12 13:22 179792 ----a-w- c:\windows\system32\guard32.dll
2009-07-11 12:55 . 2009-07-12 13:22 132040 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-07-11 12:55 . 2009-07-11 12:55 -------- d-----w- c:\program files\COMODO
2009-07-11 12:55 . 2004-10-05 03:22 -------- d-----w- c:\documents and settings\Default User\WINDOWS
2009-07-11 12:53 . 2009-07-13 16:45 181 ----a-w- c:\windows\system\hpsysdrv.DAT
2009-07-11 12:48 . 2009-07-11 12:48 -------- d-s---w- c:\documents and settings\HP_Administrator\UserData
2009-07-11 12:42 . 2004-08-03 21:58 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-07-11 12:40 . 2004-08-03 23:56 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-07-11 12:40 . 2009-07-11 12:40 -------- d-----w- c:\windows\system32\config\systemprofile\Applicati on Data\Creative
2009-07-11 12:40 . 2004-08-03 23:56 4096 ----a-w- c:\windows\system32\ksuser.dll
2009-07-11 12:40 . 2004-08-03 22:08 60288 ----a-w- c:\windows\system32\drivers\drmk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-12 21:09 . 2004-10-05 02:55 104237 ----a-w- c:\windows\hpoins04.dat
2009-07-11 20:37 . 2004-10-05 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-11 13:09 . 2002-01-01 07:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-11 13:03 . 2002-01-01 07:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-11 13:03 . 2009-07-11 13:03 4228 --sha-r- c:\windows\system32\drivers\HP_PN121AA-ABU m1180.uk_YW_Pavi_QCZB443_E44GBsyEPF2_4_IPuffer_SAS USTeK Computer INC._V1.xx_B3.06_T040827_WXP2_L409_M512_J160_7Inte l_8Pentium 4_93.2_111063044_N10EC8139_P_Z_K_A44440016_U808626 58_G10025B60.MRK
2009-07-11 13:00 . 2004-10-05 03:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-11 13:00 . 2004-10-05 03:21 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-05 12:57 . 2009-06-05 12:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-07 15:44 . 2009-07-11 19:05 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2009-07-11 19:07 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2009-07-11 19:04 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2009-07-11 19:07 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2009-07-11 19:06 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2005-04-06 14:28 . 2009-07-11 19:37 0 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 15:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-11 288048]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-10-05 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-26 339968]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-07-12 1793808]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-12 1948440]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-11-14 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" - c:\windows\MIDIDEF.EXE [2003-06-21 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-29 241664]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-12 17:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/07/2009 18:02 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/07/2009 18:02 108552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [11/07/2009 13:55 132040]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [11/07/2009 13:55 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/07/2009 18:02 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/07/2009 18:02 298776]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\dr ivers\mbamswissarmy.sys [13/07/2009 12:22 38160]
S3 PRISM_A00;Intersil PRISM 802.11a/g Driver;c:\windows\system32\drivers\PCTELSAP.SYS [05/10/2004 03:30 350282]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-07-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-IS CfgWiz - c:\program files\Common Files\Symantec Shared\cfgwiz.exe
HKU-Default-RunOnce-StartMS - c:\program files\Creative\Shared Files\Media Sniffer\StartMS.EXE
HKU-Default-RunOnce-CMSRegOW.exe - c:\program files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavi lion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q404&bd=pavili on&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavi lion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q404&bd=pavili on&pf=desktop
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\x03re8bp.default\
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_sett ing", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-13 17:46
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2616)
c:\windows\system32\msi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\windows\system32\browselc.dll
c:\program files\HP\Digital Imaging\bin\HPDTLK02.dll
c:\program files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
.
************************************************** ************************
.
Completion time: 2009-07-13 17:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-13 16:48

Pre-Run: 102,702,112,768 bytes free
Post-Run: 102,709,125,120 bytes free

337 --- E O F --- 2009-07-12 18:38

Hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:52:29, on 13/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AVG\AVG8\avgui.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo! Search Marketing UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! Search Marketing UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = myAOL | HP
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = myAOL | HP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7080 bytes

broni · #6 (**permalink**) 13-07-2009, 06:10 PM

I suspect, AVG gives you false positive.
What file is reported as infected?

Uninstall Combofix:

Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u"
Restart computer.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Try running Malwarebytes again.

emi_nori · #7 (**permalink**) 13-07-2009, 09:17 PM

Hi,

Avg found the trojan orginally in a file named C:\HP_adminstrator\Hp_adminstrator.exe but now AVG is reporting it in a file named C:\System Volume Information\_restore(FFF82D 36-AF63-4B1C-BEE9-B0DE475B8D86)\RP20\A0004048.EXE.

I managed to get a Malwarebytes scan. This is the log..

Malwarebytes' Anti-Malware 1.38
Database version: 2416
Windows 5.1.2600 Service Pack 2

13/07/2009 21:10:03
mbam-log-2009-07-13 (21-10-03).txt

Scan type: Full Scan (C:\|D:\|K:\|)
Objects scanned: 165815
Time elapsed: 54 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

broni · #8 (**permalink**) 13-07-2009, 09:25 PM

Quote:

C:\System Volume Information\_restore(FFF82D 36-AF63-4B1C-BEE9-B0DE475B8D86)\RP20\A0004048.EXE

The above is one of your restore points, so we'll take care of it in a moment.
I'd like to see fresh HJT log (make sure, your run JavaRa first).

emi_nori · #9 (**permalink**) 13-07-2009, 10:03 PM

How do I make sure Java ra is running?

broni · #10 (**permalink**) 13-07-2009, 10:06 PM

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.