Active BHO Trojan

[Active] BHO Trojan

Some weeks ago my computer picked up a virus of some sort which disabled windows update. I ran super anti spyware which seemed to remove it, but every so often AVG will tell me it has found an infected file if the computer is left dormant for a while and occasionally it will bleep with the error sound. I wish I could tell you more but I'm really not knowledgeable with these things.

My DDS Log


DDS (Ver_09-03-16.01) - NTFSx86
Run by Robin Dufton at 14:04:08.00 on 09/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.403 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Robin Dufton\Desktop\dds.pif

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\userinit32.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\progra~1\wi1f86~1\messen~1\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [\\IAN\EPSON Stylus C48 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s4i091.exe /p29 "\\ian\EPSON Stylus C48 Series" /O6 "USB001" /M "Stylus C48 "
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart17.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232639890171
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnOIYsr

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-22 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-22 27656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-22 298264]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-4-27 316992]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-04-09 13:53 <DIR> --d----- c:\program files\trend micro
2009-04-02 17:12 <DIR> --dsh--- c:\windows\system32\mac32
2009-04-02 17:12 65,536 a------- c:\windows\system32\~.exe
2009-03-24 16:57 <DIR> --d----- c:\program files\Microsoft Xbox 360 Accessories
2009-03-24 16:47 <DIR> --d----- c:\program files\XBCD
2009-03-24 16:30 <DIR> --d----- c:\windows\system32\appmgmt
2009-03-24 13:29 68,888 a------- c:\windows\system32\xinput1_3.dll
2009-03-24 13:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2009-03-24 13:19 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-03-24 13:19 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-24 13:15 <DIR> --d----- c:\program files\rFactor
2009-03-17 22:09 168,448 a------- c:\windows\system32\unrar.dll
2009-03-17 22:09 <DIR> --d----- c:\program files\K-Lite Codec Pack

==================== Find3M ====================

2009-02-10 16:47 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-10 16:47 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-22 17:57 315,392 a------- c:\windows\HideWin.exe
2009-01-22 17:53 414,134 a--sh--- c:\windows\system32\rsYIOnmp.ini2
2009-01-22 17:25 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-22 16:17 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 14:04:27.59 ===============

 

Attach


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 22/01/2009 15:22:52
System Uptime: 04/09/2009 12:21:00 (-3550 hours ago)

Motherboard: Foxconn | | 45GM/45CM/45CM-S
Processor: Intel(R) Celeron(R) CPU E1200 @ 1.60GHz | Socket 775 | 1595/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 136.723 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 22/01/2009 16:34:26 - System Checkpoint
RP2: 22/01/2009 16:34:26 - Installed Microsoft Office Enterprise 2007
RP3: 22/01/2009 16:34:26 - Printer Driver Send To Microsoft OneNote Driver Installed
RP4: 22/01/2009 16:34:26 - Software Distribution Service 3.0
RP5: 22/01/2009 16:34:27 - Software Distribution Service 3.0
RP6: 22/01/2009 16:34:27 - Installed REALTEK GbE & FE Ethernet PCI NIC Driver
RP7: 22/01/2009 16:34:30 - Last known good configuration
RP8: 22/01/2009 16:35:06 - Installed Adobe Reader 7.0.7
RP9: 22/01/2009 16:42:07 - Removed REALTEK GbE & FE Ethernet PCI NIC Driver
RP10: 22/01/2009 16:49:14 - Installed SUPERAntiSpyware Free Edition
RP11: 22/01/2009 16:58:01 - Installed Realtek High Definition Audio Driver
RP12: 22/01/2009 16:59:10 - Installed REALTEK GbE & FE Ethernet PCI NIC Driver
RP13: 22/01/2009 17:09:51 - Software Distribution Service 3.0
RP14: 22/01/2009 17:39:32 - Installed AVG Free 8.0
RP15: 22/01/2009 17:45:37 - Installed DirectX 9.0
RP16: 22/01/2009 17:48:17 - Installed AutoCAD 2007 - English
RP17: 25/01/2009 16:21:44 - Avg8 Update
RP18: 25/01/2009 16:42:30 - Installed Sentinel Protection Installer 7.4.0
RP19: 25/01/2009 18:21:24 - Software Distribution Service 3.0
RP20: 26/01/2009 19:09:41 - System Checkpoint
RP21: 10/02/2009 15:46:36 - Avg8 Update
RP22: 10/02/2009 15:47:51 - Avg8 Update
RP23: 11/02/2009 19:09:27 - System Checkpoint
RP24: 12/02/2009 11:42:43 - Software Distribution Service 3.0
RP25: 13/02/2009 19:01:01 - Avg8 Update
RP26: 20/02/2009 22:12:44 - System Checkpoint
RP27: 25/02/2009 19:40:41 - Software Distribution Service 3.0
RP28: 04/03/2009 14:48:36 - Avg8 Update
RP29: 05/03/2009 18:36:48 - System Checkpoint
RP30: 11/03/2009 12:26:42 - Software Distribution Service 3.0
RP31: 13/03/2009 17:52:05 - System Checkpoint
RP32: 15/03/2009 12:50:51 - Software Distribution Service 3.0
RP33: 17/03/2009 16:49:53 - Avg8 Update
RP34: 17/03/2009 16:51:24 - Avg8 Update
RP35: 20/03/2009 18:43:34 - System Checkpoint
RP36: 24/03/2009 12:16:31 - Installed DirectX
RP37: 24/03/2009 12:19:11 - Installed Windows XP Wdf01005.
RP38: 24/03/2009 12:29:51 - Installed DirectX
RP39: 24/03/2009 15:29:56 - Removed Microsoft Xbox 360 Accessories 1.1
RP40: 24/03/2009 15:57:26 - Installed DirectX
RP41: 26/03/2009 16:57:59 - Avg8 Update
RP42: 31/03/2009 16:01:01 - System Checkpoint
RP43: 02/04/2009 16:39:29 - System Checkpoint
RP44: 03/04/2009 17:34:31 - System Checkpoint

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.7
ArtCAM 2008
AutoCAD 2007 - English
Autodesk DWF Viewer
AVG Free 8.0
Choice Guard
Critical Update for Windows Media Player 11 (KB959772)
Delcam Exchange540103 (remove only)
ffdshow [rev 610] [2006-12-01]
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
K-Lite Codec Pack 4.7.0 (Standard)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Xbox 360 Accessories 1.1
MSVCRT
MSXML 4.0 SP2 (KB954430)
OpenTTD 0.7.0
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
rFactor (remove only)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Segoe UI
Sentinel Protection Installer 7.4.0
SUPERAntiSpyware Free Edition
Transport Tycoon Deluxe
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
XBCD 1.07

==== End Of File ===========================

 

Hi Sir J Savile
Welcome to WindowsBBS

Please do this.

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
  
  • c:\windows\system32\rsYIOnmp.ini2
    d:\fxdrv32.sys
• Click on the submit button
  
• Please post the results in your next reply.

Please also give me the file path of the file that SAS found.

Thanks
Geri

 

When I tried to scan d:\fxdrv32.sys it came up with an error message saying the file was 0 bytes or malware may be preventing it from being uploaded.

This is the result of the scan for c:\windows\system32\rsYIOnmp.ini2

File: rsYIOnmp.ini2
Status: INFECTED/MALWARE
MD5: 412aa3dbc48d469b821175d44e25bfd8
Packers detected: -

Scanner results
Scan taken on 12 Apr 2009 21:16:09 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/Adware.Virtumonde.NEO~datafile application
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

These are all files picked up from AVG's history.

"Infection "; "Trojan horse BHO.HDT "; "C:\System Volume Information\_restore{818E5C0A-F77A-4429-A3B1-083E2E3BCAEE}\RP10\A0003827.dll ";" "; "05/03/2009, 20:15:52 "

"Infection "; "Trojan horse BHO.HDT "; "C:\System Volume Information\_restore{818E5C0A-F77A-4429-A3B1-083E2E3BCAEE}\RP10\A0003828.dll ";" "; "06/03/2009, 18:43:57 "

"Infection "; "Trojan horse BHO.HDT "; "C:\System Volume Information\_restore{818E5C0A-F77A-4429-A3B1-083E2E3BCAEE}\RP10\A0003829.dll ";" "; "17/03/2009, 18:47:39 "

"Infection "; "Trojan horse Adload_r.HC "; "C:\System Volume Information\_restore{818E5C0A-F77A-4429-A3B1-083E2E3BCAEE}\RP10\A0003830.dll ";" "; "17/03/2009, 21:19:08 "

"Infection "; "Trojan horse BHO.HDT "; "C:\System Volume Information\_restore{818E5C0A-F77A-4429-A3B1-083E2E3BCAEE}\RP10\A0003831.dll ";" "; "25/03/2009, 14:22:23 "

"Infection "; "Trojan horse SHeur2.XPE "; "C:\Documents and Settings\Robin Dufton\Local Settings\Temp\pdfupd.exe ";" "; "30/03/2009, 01:27:50 "

"Infection "; "Virus found Win32/PolyCrypt "; "C:\Documents and Settings\Robin Dufton\Local Settings\Temp\wJQs.exe ";" "; "01/04/2009, 13:57:41 "

"Infection "; "Trojan horse BHO.HDT "; "C:\System Volume Information\_restore{818E5C0A-F77A-4429-A3B1-083E2E3BCAEE}\RP10\A0003832.dll ";" "; "03/04/2009, 16:09:31 "

"Infection "; "Trojan horse BHO.HDT "; "C:\System Volume Information\_restore{818E5C0A-F77A-4429-A3B1-083E2E3BCAEE}\RP10\A0003833.dll ";" "; "03/04/2009, 18:32:56 "

"Infection "; "Trojan horse BHO.HDT "; "C:\System Volume Information\_restore{818E5C0A-F77A-4429-A3B1-083E2E3BCAEE}\RP10\A0003834.dll ";" "; "03/04/2009, 19:09:44 "

"Infection "; "Trojan horse PSW.Generic7.CIA "; "C:\WINDOWS\system32\userinit32.exe ";" "; "05/04/2009, 02:32:05 "

"Infection "; "Trojan horse SHeur2.ZVH "; "C:\Documents and Settings\Robin Dufton\Local Settings\Temp\pdfupd.exe ";" "; "08/04/2009, 17:49:40 "

"Infection "; "Trojan horse SHeur2.ZVH "; "C:\Documents and Settings\Robin Dufton\Local Settings\Temporary Internet Files\Content.IE5\TTNYTN1U\1[1].exe ";" "; "09/04/2009, 13:49:52 "

 

Hi
The System Volume Information ones will not cause any problems unless you do a system restore.

OK please do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Thanks
Geri

 

Done.

ComboFix 09-04-13.A2 - Robin Dufton 2009-04-13 13:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.632 [GMT 1:00]
Running from: c:\documents and settings\Robin Dufton\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\~.exe
c:\windows\system32\rsYIOnmp.ini
c:\windows\system32\rsYIOnmp.ini2
c:\windows\system32\rxaopkwd.ini
c:\windows\Tasks\fucwmhtr.job

.
((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-09 12:53 . 2009-04-09 12:53 -------- d-----w C:\rsit
2009-04-02 16:12 . 2009-04-04 23:37 -------- d-sh--w c:\windows\system32\mac32
2009-03-24 12:29 . 2006-09-28 16:04 68888 ----a-w c:\windows\system32\xinput1_3.dll
2009-03-24 12:19 . 2009-03-24 12:19 -------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2009-03-24 12:19 . 2009-03-24 12:19 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-03-24 12:19 . 2009-03-24 12:19 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-17 21:09 . 2008-09-16 19:23 168448 ----a-w c:\windows\system32\unrar.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 12:53 . 2009-04-09 12:53 -------- d-----w c:\program files\trend micro
2009-03-29 20:08 . 2009-01-22 16:49 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-24 15:57 . 2009-03-24 15:57 -------- d-----w c:\program files\Microsoft Xbox 360 Accessories
2009-03-24 15:47 . 2009-03-24 15:47 -------- d-----w c:\program files\XBCD
2009-03-24 12:16 . 2009-03-24 12:15 -------- d-----w c:\program files\rFactor
2009-03-17 21:09 . 2009-03-17 21:09 -------- d-----w c:\program files\K-Lite Codec Pack
2009-03-11 12:27 . 2009-01-22 15:52 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-18 17:39 . 2009-02-18 17:39 -------- d-----w c:\program files\OpenTTD
2009-02-10 15:47 . 2009-01-22 17:39 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 18:52 . 2009-02-06 18:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-01-26 19:53 . 2009-01-26 19:53 0 ----a-w C:\labels.csv
2009-01-22 18:17 . 2009-01-22 15:28 100800 ----a-w c:\documents and settings\Robin Dufton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-22 16:57 . 2009-01-22 16:57 315392 ----a-w c:\windows\HideWin.exe
2009-01-22 16:25 . 2009-01-22 15:19 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-22 16:19 . 2004-08-04 12:00 250048 --sha-r C:\ntldr
2009-01-22 15:17 . 2009-01-22 15:17 21640 ----a-w c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2007-04-20 142104]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2007-04-20 162584]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2007-04-20 138008]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-10 1601304]
"\\IAN\EPSON Stylus C48 Series "= "c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE" [2005-05-16 99840]
"XboxStat "= "c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"RTHDCPL "= "RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 11000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-10 16:47 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe "=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE "=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=

R3 FXDrv32;FXDrv32; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-10 325128]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-29 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-15 55024]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-10 298264]
S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2007-04-27 316992]

.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 14:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3712)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2009-04-13 14:06 - machine was rebooted [Robin Dufton]
ComboFix-quarantined-files.txt 2009-04-13 13:06

Pre-Run: 146,784,632,832 bytes free
Post-Run: 147,360,489,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

137 --- E O F --- 2009-03-15 12:52

 

Done.

http://www.yourfilehost.com/media.php?cat=other&file=ComboFix.txt

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2007-04-20 142104]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2007-04-20 162584]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2007-04-20 138008]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-10 1601304]
"\\IAN\EPSON Stylus C48 Series "= "c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE" [2005-05-16 99840]
"XboxStat "= "c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"RTHDCPL "= "RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 11000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-10 16:47 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe "=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE "=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=

R3 FXDrv32;FXDrv32; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-10 325128]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-29 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-15 55024]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-10 298264]
S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2007-04-27 316992]

.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 14:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3712)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2009-04-13 14:06 - machine was rebooted [Robin Dufton]
ComboFix-quarantined-files.txt 2009-04-13 13:06

Pre-Run: 146,784,632,832 bytes free
Post-Run: 147,360,489,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

137 --- E O F --- 2009-03-15 12:52

 

Hi
OK please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

Code:

Driver::
FXDrv32 

Please post the Combofix log.

Let me know how things are running.

Geri

 

Done. AVG is still occasionally popping up with the window saying it has found a threat though, or is it still a long way from being removed?

ComboFix 09-04-16.02 - Robin Dufton 16/04/2009 14:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.620 [GMT 1:00]
Running from: c:\documents and settings\Robin Dufton\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robin Dufton\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FXDRV32
-------\Service_FXDrv32


((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-15 15:22 . 1998-01-23 11:22 304128 ----a-w c:\windows\IsUninst.exe
2009-04-15 15:22 . 2009-04-15 15:22 -------- d-----w c:\documents and settings\Robin Dufton\WINDOWS
2009-04-15 12:42 . 2009-04-15 12:42 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-14 20:07 . 2009-04-14 20:07 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-14 20:07 . 2009-04-14 20:07 -------- d-----w c:\documents and settings\Robin Dufton\Local Settings\Application Data\Google
2009-04-14 20:06 . 2009-04-15 23:03 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-09 12:53 . 2009-04-09 12:53 -------- d-----w C:\rsit
2009-04-02 16:12 . 2009-04-04 23:37 -------- d-sh--w c:\windows\system32\mac32
2009-03-24 12:29 . 2006-09-28 16:04 68888 ----a-w c:\windows\system32\xinput1_3.dll
2009-03-24 12:19 . 2009-03-24 12:19 -------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2009-03-24 12:19 . 2009-03-24 12:19 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-03-24 12:19 . 2009-03-24 12:19 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-17 21:09 . 2008-09-16 19:23 168448 ----a-w c:\windows\system32\unrar.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 15:22 . 2009-04-15 15:22 -------- d-----w c:\program files\Maxis
2009-04-14 20:08 . 2009-04-14 20:06 -------- d-----w c:\program files\Google
2009-04-09 12:53 . 2009-04-09 12:53 -------- d-----w c:\program files\trend micro
2009-03-29 20:08 . 2009-01-22 16:49 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-24 15:57 . 2009-03-24 15:57 -------- d-----w c:\program files\Microsoft Xbox 360 Accessories
2009-03-24 15:47 . 2009-03-24 15:47 -------- d-----w c:\program files\XBCD
2009-03-24 12:16 . 2009-03-24 12:15 -------- d-----w c:\program files\rFactor
2009-03-17 21:09 . 2009-03-17 21:09 -------- d-----w c:\program files\K-Lite Codec Pack
2009-03-11 12:27 . 2009-01-22 15:52 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-18 17:39 . 2009-02-18 17:39 -------- d-----w c:\program files\OpenTTD
2009-02-10 15:47 . 2009-01-22 17:39 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 18:52 . 2009-02-06 18:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-01-26 19:53 . 2009-01-26 19:53 0 ----a-w C:\labels.csv
2009-01-22 18:17 . 2009-01-22 15:28 100800 ----a-w c:\documents and settings\Robin Dufton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-22 16:57 . 2009-01-22 16:57 315392 ----a-w c:\windows\HideWin.exe
2009-01-22 16:25 . 2009-01-22 15:19 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-22 16:19 . 2004-08-04 12:00 250048 --sha-r C:\ntldr
2009-01-22 15:17 . 2009-01-22 15:17 21640 ----a-w c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-13_14.05.26.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-14 20:08 . 2009-04-14 20:08 25214 c:\windows\Installer\{548EAC70-EE00-11DD-908C-005056806466}\UNINST_Uninstall_G_408FFBEED62349E08B232864A94D2864.exe
+ 2009-04-14 20:08 . 2009-04-14 20:08 25214 c:\windows\Installer\{548EAC70-EE00-11DD-908C-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-04-14 20:08 . 2009-04-14 20:08 25214 c:\windows\Installer\{548EAC70-EE00-11DD-908C-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-04-14 20:08 . 2009-04-14 20:08 25214 c:\windows\Installer\{548EAC70-EE00-11DD-908C-005056806466}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2009-04-14 20:08 . 2009-04-14 20:08 25214 c:\windows\Installer\{548EAC70-EE00-11DD-908C-005056806466}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2008-09-05 23:29 . 2009-03-10 21:18 934792 c:\windows\system32\WgaTray.exe
+ 2008-09-05 23:30 . 2009-03-10 21:18 239496 c:\windows\system32\WgaLogon.dll
+ 2008-09-05 23:29 . 2009-03-10 21:18 934792 c:\windows\system32\dllcache\WgaTray.exe
+ 2008-09-05 23:30 . 2009-03-10 21:18 239496 c:\windows\system32\dllcache\wgaLogon.dll
+ 2009-04-15 15:22 . 1998-01-23 11:22 304128 c:\windows\IsUninst.exe
+ 2009-04-14 20:08 . 2009-04-14 20:08 363246 c:\windows\Installer\{548EAC70-EE00-11DD-908C-005056806466}\ARPPRODUCTICON.exe
- 2009-04-13 13:01 . 2005-10-20 19:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-16 13:32 . 2005-10-20 19:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-03-20 18:06 . 2009-03-10 21:18 1482112 c:\windows\system32\LegitCheckControl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2007-04-20 142104]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2007-04-20 162584]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2007-04-20 138008]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-10 1601304]
"\\IAN\EPSON Stylus C48 Series "= "c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE" [2005-05-16 99840]
"XboxStat "= "c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"RTHDCPL "= "RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-10 16126464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-10 15:47 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe "=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE "=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=

R2 gupdate1c9bd3caacc3c6e;Google Update Service (gupdate1c9bd3caacc3c6e);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 133104]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-10 325128]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-29 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-15 55024]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-10 298264]
S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2007-04-27 316992]

.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-14 20:06]

2009-04-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 20:07]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 14:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3044)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-16 14:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 13:37
ComboFix2.txt 2009-04-13 13:06

Pre-Run: 146,518,540,288 bytes free
Post-Run: 146,908,467,200 bytes free

163 --- E O F --- 2009-04-14 14:05

 

Hi

Can you give me a file path where AVG is finding it.

Thanks
Geri

 

The first one is before I ran combo fix as in post #9 so is probably nothing to worry about. The second one though is the day after and has pretty much the same file name.

"Infection "; "Trojan horse BHO.HDT "; "C:\System Volume Information\_restore{818E5C0A-F77A-4429-A3B1-083E2E3BCAEE}\RP10\A0003835.dll ";" "; "14/04/2009, 18:26:08 "

"Infection "; "Trojan horse Generic12.ATVF "; "C:\System Volume Information\_restore{818E5C0A-F77A-4429-A3B1-083E2E3BCAEE}\RP10\A0003836.dll ";" "; "17/04/2009, 19:12:58 "

 

Hi
OK please do this.

Click Start > Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.
Please check and verify that C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file. If they weren't please delete them manually.

After that run AVG and let me know if you get the warning.

Thanks
Geri

 

Did exactly that and AVG didn't find anything this time. Is that everything sorted now?

 

Hi
Yes that should have taken care of it.

Any other problems?

Geri