Solved Can't Remove Trojan.agent & backdoor.bot

Xpress, to avoid confusion please start your own thread to receive help, ty.

stan1622, a couple of things we need to do.

Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
  
• Select - Show hidden files and folders.
  
• Uncheck- Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK. (Remember to Hide files and folders once done)

Please go to: VirusTotal

• 
  
  
  
• Click the Browse button and search for the following file: C:\Qoobox\Quarantine\c\docume~1\STAN\APPLIC~1\MACROM~1\Common\9a6ee0141.dll
• Click Open
• Then click Send File
• Please be patient while the file is scanned.
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now "

Also please have the following file scanned also
C:\Qoobox\Quarantine\c\documents and settings\NetworkService\Application Data\Macromedia\Common\9a6ee0141.dll



NEXT**
Please download RegQuery by Noviciate to your desktop

• Copy the following registry keypath by highlighting the text and pressing CTRL and C at the same time
  • [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
• Double click RegQuery.exe to run the program
• Paste the text you have copied using CRTL and V, into the textbox
• Click the Query button
• A Notepad file will open. Please paste the contents in your next reply
• You may now close the RegQuery program

In your next reply post:
Requested file scanned info
RegQuery log

 

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.02 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.98 2009.03.02 -
Authentium 5.1.0.4 2009.03.02 -
Avast 4.8.1335.0 2009.03.02 -
AVG 8.0.0.237 2009.03.01 -
BitDefender 7.2 2009.03.02 -
CAT-QuickHeal 10.00 2009.03.02 -
ClamAV 0.94.1 2009.03.02 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.03.02 -
eSafe 7.0.17.0 2009.03.02 -
eTrust-Vet 31.6.6380 2009.03.02 -
F-Prot 4.4.4.56 2009.03.02 -
F-Secure 8.0.14470.0 2009.03.02 -
Fortinet 3.117.0.0 2009.03.02 -
GData 19 2009.03.02 -
Ikarus T3.1.1.45.0 2009.03.02 -
K7AntiVirus 7.10.654 2009.03.02 -
Kaspersky 7.0.0.125 2009.03.02 -
McAfee 5540 2009.03.01 -
McAfee+Artemis 5540 2009.03.01 -
Microsoft 1.4306 2009.03.02 -
NOD32 3901 2009.03.02 -
Norman 6.00.06 2009.03.02 -
nProtect 2009.1.8.0 2009.03.02 -
Panda 10.0.0.10 2009.03.02 -
PCTools 4.4.2.0 2009.03.02 -
Prevx1 V2 2009.03.02 Medium Risk Malware
Rising 21.19.02.00 2009.03.02 -
SecureWeb-Gateway 6.7.6 2009.03.02 -
Sophos 4.39.0 2009.03.02 Troj/Agent-IYV
Sunbelt 3.2.1858.2 2009.03.02 -
Symantec 10 2009.03.02 -
TheHacker 6.3.2.6.268 2009.03.01 -
TrendMicro 8.700.0.1004 2009.03.02 -
VBA32 3.12.10.1 2009.03.01 -
ViRobot 2009.3.2.1630 2009.03.02 -
VirusBuster 4.5.11.0 2009.03.02 -
Additional information
File size: 64512 bytes
MD5...: aead38fe5e9ce28fb26321f16e54024a
SHA1..: 5d68873fffe37cd37083a4ff9db2cbe3063f5fcd
SHA256: fa21754923552b96a2c212d698805914f834d7513217ae5454e888a5b429985a
SHA512: 1a48bc45569620e9814188afeafd4a82c8690105bb8f6db6d694f83d9a593e24
905765aedfb53f8fbf1a19dc833ba325294fd7e118274ba6d57a3726a92d8265
ssdeep: 1536:YidZoAnAcISKgDQM0oLX7CVR1XBnzO9epLySvIT6zBMEoZ:Yv5YKgDQdoLX
7CVRJBzO9+ySTjo

PEiD..: Armadillo v1.xx - v2.xx
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xc0d1
timedatestamp.....: 0x49a7a97c (Fri Feb 27 08:51:08 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xe492 0xe600 6.15 85b0ddd9b6407a5d7ea97af48c3f1cf6
.rsrc 0x10000 0x358 0x400 2.91 d5960b6dde3fb6db93e30cf727b8bbaa
.reloc 0x11000 0xd9c 0xe00 6.38 490b135350f5cabc0b12780187dc2954

( 1 imports )
> KERNEL32.dll: GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, TlsGetValue, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, HeapFree, WriteFile, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapAlloc, GetCPInfo, GetACP, GetOEMCP, VirtualAlloc, HeapReAlloc, GetProcAddress, LoadLibraryA, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, RtlUnwind

( 0 exports )

Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=12AA42B3008D75F8FCB20091AB1DD2003C666154' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=12AA42B3008D75F8FCB20091AB1DD2003C666154</a>
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=aead38fe5e9ce28fb26321f16e54024a' target='_blank'>http://www.threatexpert.com/report.aspx?md5=aead38fe5e9ce28fb26321f16e54024a</a>
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=aead38fe5e9ce28fb26321f16e54024a' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=aead38fe5e9ce28fb26321f16e54024a</a>




Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.02 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.98 2009.03.02 -
Authentium 5.1.0.4 2009.03.02 -
Avast 4.8.1335.0 2009.03.02 -
AVG 8.0.0.237 2009.03.01 -
BitDefender 7.2 2009.03.02 -
CAT-QuickHeal 10.00 2009.03.02 -
ClamAV 0.94.1 2009.03.02 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.03.02 -
eSafe 7.0.17.0 2009.03.02 -
eTrust-Vet 31.6.6380 2009.03.02 -
F-Prot 4.4.4.56 2009.03.02 -
F-Secure 8.0.14470.0 2009.03.02 -
Fortinet 3.117.0.0 2009.03.02 -
GData 19 2009.03.02 -
Ikarus T3.1.1.45.0 2009.03.02 -
K7AntiVirus 7.10.654 2009.03.02 -
Kaspersky 7.0.0.125 2009.03.02 -
McAfee 5540 2009.03.01 -
McAfee+Artemis 5540 2009.03.01 -
Microsoft 1.4306 2009.03.02 -
NOD32 3901 2009.03.02 -
Norman 6.00.06 2009.03.02 -
nProtect 2009.1.8.0 2009.03.02 -
Panda 10.0.0.10 2009.03.02 -
PCTools 4.4.2.0 2009.03.02 -
Prevx1 V2 2009.03.02 Medium Risk Malware
Rising 21.19.02.00 2009.03.02 -
SecureWeb-Gateway 6.7.6 2009.03.02 -
Sophos 4.39.0 2009.03.02 Troj/Agent-IYV
Sunbelt 3.2.1858.2 2009.03.02 -
Symantec 10 2009.03.02 -
TheHacker 6.3.2.6.268 2009.03.01 -
TrendMicro 8.700.0.1004 2009.03.02 -
VBA32 3.12.10.1 2009.03.01 -
ViRobot 2009.3.2.1630 2009.03.02 -
VirusBuster 4.5.11.0 2009.03.02 -
Additional information
File size: 64512 bytes
MD5...: aead38fe5e9ce28fb26321f16e54024a
SHA1..: 5d68873fffe37cd37083a4ff9db2cbe3063f5fcd
SHA256: fa21754923552b96a2c212d698805914f834d7513217ae5454e888a5b429985a
SHA512: 1a48bc45569620e9814188afeafd4a82c8690105bb8f6db6d694f83d9a593e24
905765aedfb53f8fbf1a19dc833ba325294fd7e118274ba6d57a3726a92d8265
ssdeep: 1536:YidZoAnAcISKgDQM0oLX7CVR1XBnzO9epLySvIT6zBMEoZ:Yv5YKgDQdoLX
7CVRJBzO9+ySTjo

PEiD..: Armadillo v1.xx - v2.xx
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xc0d1
timedatestamp.....: 0x49a7a97c (Fri Feb 27 08:51:08 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xe492 0xe600 6.15 85b0ddd9b6407a5d7ea97af48c3f1cf6
.rsrc 0x10000 0x358 0x400 2.91 d5960b6dde3fb6db93e30cf727b8bbaa
.reloc 0x11000 0xd9c 0xe00 6.38 490b135350f5cabc0b12780187dc2954

( 1 imports )
> KERNEL32.dll: GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, TlsGetValue, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, HeapFree, WriteFile, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapAlloc, GetCPInfo, GetACP, GetOEMCP, VirtualAlloc, HeapReAlloc, GetProcAddress, LoadLibraryA, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, RtlUnwind

( 0 exports )

ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=aead38fe5e9ce28fb26321f16e54024a' target='_blank'>http://www.threatexpert.com/report.aspx?md5=aead38fe5e9ce28fb26321f16e54024a</a>
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=12AA42B3008D75F8FCB20091AB1DD2003C666154' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=12AA42B3008D75F8FCB20091AB1DD2003C666154</a>
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=aead38fe5e9ce28fb26321f16e54024a' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=aead38fe5e9ce28fb26321f16e54024a</a>



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper "= "midimap.dll "
"msacm.imaadpcm "= "imaadp32.acm "
"msacm.msadpcm "= "msadp32.acm "
"msacm.msg711 "= "msg711.acm "
"msacm.msgsm610 "= "msgsm32.acm "
"msacm.trspch "= "tssoft32.acm "
"vidc.cvid "= "iccvid.dll "
"vidc.I420 "= "msh263.drv "
"vidc.iv31 "= "ir32_32.dll "
"vidc.iv32 "= "ir32_32.dll "
"vidc.iyuv "= "iyuv_32.dll "
"vidc.mrle "= "msrle32.dll "
"vidc.msvc "= "msvidc32.dll "
"vidc.uyvy "= "msyuv.dll "
"vidc.yuy2 "= "msyuv.dll "
"vidc.yvu9 "= "tsbyuv.dll "
"vidc.yvyu "= "msyuv.dll "
"wavemapper "= "msacm32.drv "
"msacm.msg723 "= "msg723.acm "
"vidc.M263 "= "msh263.drv "
"vidc.M261 "= "msh261.drv "
"msacm.msaudio1 "= "msaud32.acm "
"msacm.sl_anet "= "sl_anet.acm "
"msacm.l3acm "= "C:\\WINDOWS\\system32\\l3codeca.acm "
"vidc.iv41 "= "ir41_32.ax "
"msacm.iac2 "= "iac25_32.ax "
"vidc.iv50 "= "ir50_32.dll "
"wave "= "wdmaud.drv "
"mixer "= "wdmaud.drv "
"aux "= "wdmaud.drv "
"wave3 "= "wdmaud.drv "
"wave4 "= "wdmaud.drv "
"mixer3 "= "wdmaud.drv "
"aux2 "= "wdmaud.drv "
"wave5 "= "wdmaud.drv "
"mixer4 "= "wdmaud.drv "
"aux3 "= "wdmaud.drv "
"Midi "= "wdmaud.drv "
"wave1 "= "wdmaud.drv "
"midi1 "= "wdmaud.drv "
"mixer1 "= "wdmaud.drv "
"aux1 "= "wdmaud.drv "
"midi2 "= "wdmaud.drv "
"wave2 "= "wdmaud.drv "
"mixer2 "= "wdmaud.drv "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave "= "rdpsnd.dll "
"MaxBandwidth "=dword:000056b9
"wavemapper "= "msacm32.drv "
"EnableMP3Codec "=dword:00000001
"midimapper "= "midimap.dll "

 

Welcome back and thank you for the logs.

Panda returned saying the below file is infected. It's odd saying it's located on desktop?
C:\Documents and Settings\STAN\Desktop\a.exe <--you know what this is?


Locate ComboFix on your desktop
Right click and select delete, I want you to download an updated version.

Download Combofix from any of the links below.

Save it to your desktop.

Link 1
Link 2
Link 3


---------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.


In your next reply post:
ComboFix.txt
new HJT log


Also, give me an update on how the computer is at the moment.

 

ComboFix 09-03-02.01 - STAN 2009-03-02 13:57:58.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.84 [GMT -5:00]
Running from: c:\documents and settings\STAN\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))
.

2009-03-01 18:00 . 2009-03-01 19:02 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-01 15:36 . 2009-03-01 15:36 107,272 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2009-03-01 15:36 . 2009-03-01 15:36 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-03-01 15:35 . 2009-03-01 15:44 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-03-01 15:35 . 2009-03-01 15:35 <DIR> d-------- c:\program files\AVG
2009-03-01 15:35 . 2009-03-01 15:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-01 15:35 . 2009-03-01 15:35 325,128 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-03-01 14:51 . 2009-03-01 14:51 <DIR> d-------- c:\program files\COMODO
2009-03-01 14:51 . 2009-03-01 14:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Comodo
2009-03-01 14:51 . 2009-03-01 14:51 155,384 --a------ c:\windows\SYSTEM32\guard32.dll
2009-03-01 14:51 . 2009-03-01 14:51 110,992 --a------ c:\windows\SYSTEM32\DRIVERS\cmdguard.sys
2009-03-01 14:51 . 2009-03-01 14:51 24,336 --a------ c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys
2009-03-01 14:15 . 2009-03-01 14:15 99,480 --a------ c:\windows\SYSTEM32\GDIPFONTCACHEV1.DAT
2009-03-01 14:09 . 2009-03-01 14:09 <DIR> d-------- c:\program files\Alwil Software
2009-03-01 13:29 . 2009-03-01 13:29 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2009-02-28 23:53 . 2009-02-28 23:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-28 23:53 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-28 23:53 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-27 18:51 . 2008-06-19 16:24 28,544 --a------ c:\windows\SYSTEM32\DRIVERS\pavboot.sys
2009-02-27 18:50 . 2009-02-27 18:50 <DIR> d-------- c:\program files\Panda Security
2009-02-27 13:44 . 2009-02-27 13:44 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-02-27 13:40 . 2009-02-27 13:41 <DIR> d-------- c:\documents and settings\STAN\.SunDownloadManager
2009-02-27 02:05 . 2009-02-27 02:05 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AdobeUM
2009-02-25 14:24 . 2009-01-09 14:19 1,089,593 --------- c:\windows\SYSTEM32\DLLCACHE\ntprint.cat
2009-02-24 19:48 . 2009-02-24 19:48 <DIR> d-------- c:\documents and settings\STAN\Application Data\Malwarebytes
2009-02-24 19:48 . 2009-02-24 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 17:28 . 2009-02-24 17:28 <DIR> d-------- c:\windows\SYSTEM32\XPSViewer
2009-02-24 17:28 . 2009-02-24 17:28 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-24 17:26 . 2009-02-24 17:27 <DIR> d-------- C:\ad7466749e8d59fa3ab28d8b728c
2009-02-24 17:26 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\xpssvcs.dll
2009-02-24 17:26 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\DLLCACHE\xpssvcs.dll
2009-02-24 17:26 . 2008-07-06 05:50 597,504 --------- c:\windows\SYSTEM32\DLLCACHE\printfilterpipelinesvc.exe
2009-02-24 17:26 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\xpsshhdr.dll
2009-02-24 17:26 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\DLLCACHE\xpsshhdr.dll
2009-02-24 17:26 . 2008-07-06 07:06 117,760 --------- c:\windows\SYSTEM32\prntvpt.dll
2009-02-24 17:26 . 2008-07-06 07:06 89,088 --------- c:\windows\SYSTEM32\DLLCACHE\filterpipelineprintproc.dll
2009-02-24 02:12 . 2009-02-24 19:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-24 02:12 . 2009-02-24 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 20:14 . 2009-02-23 22:35 <DIR> d-------- c:\documents and settings\STAN\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 18:44 --------- d-----w c:\program files\Java
2009-02-24 22:28 --------- d-----w c:\program files\MSBuild
2009-02-24 06:40 --------- d-----w c:\program files\Windows Defender
2009-02-24 03:41 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-23 05:03 --------- d-----w c:\program files\Smart Panel
2009-02-23 05:00 --------- d-----w c:\program files\EPSON
2009-02-13 03:22 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-13 03:12 --------- d-----w c:\program files\IncrediMail
2007-04-16 07:25 24,192 ----a-w c:\documents and settings\STAN\usbsermptxp.sys
2007-04-16 07:25 22,768 ----a-w c:\documents and settings\STAN\usbsermpt.sys
2006-10-23 15:04 70,076 ----a-w c:\documents and settings\STAN\Winsock2.reg
2006-05-15 03:22 33,408 ----a-w c:\documents and settings\STAN\g2mdlhlpx.exe
2008-08-19 23:31 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-28_21.40.39.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-04-02 18:25:59 19,456 ----a-w c:\windows\MSAGENT\INTL\agt0401.dll
+ 2007-04-02 18:26:00 19,456 ----a-w c:\windows\MSAGENT\INTL\agt040d.dll
+ 2002-08-29 10:00:00 10,752 ----a-w c:\windows\SYSTEM32\c_iscii.dll
+ 2007-04-02 18:25:59 19,456 ----a-w c:\windows\SYSTEM32\DLLCACHE\agt0401.dll
+ 2007-04-02 18:26:00 19,456 ----a-w c:\windows\SYSTEM32\DLLCACHE\agt040d.dll
+ 2002-08-29 10:00:00 10,752 ----a-w c:\windows\SYSTEM32\DLLCACHE\c_iscii.dll
+ 2002-08-29 10:00:00 6,144 ----a-w c:\windows\SYSTEM32\DLLCACHE\ftlx041e.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbda1.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbda2.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbda3.dll
+ 2002-08-29 10:00:00 5,120 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdarme.dll
+ 2002-08-29 10:00:00 5,120 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdarmw.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbddiv1.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbddiv2.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdfa.dll
+ 2002-08-29 10:00:00 5,120 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdgeo.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdheb.dll
+ 2008-04-14 00:09:55 6,144 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdinbe1.dll
+ 2008-04-14 00:09:55 6,144 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdinben.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdindev.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdinguj.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdinhin.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdinkan.dll
+ 2008-04-14 00:09:55 6,656 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdinmal.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdinmar.dll
+ 2002-08-29 10:00:00 6,144 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdinpun.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdintam.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdintel.dll
+ 2008-04-14 00:09:55 6,144 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdnepr.dll
+ 2008-04-14 00:09:55 6,144 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdpash.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdsyr1.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdsyr2.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdth0.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdth1.dll
+ 2002-08-29 10:00:00 6,144 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdth2.dll
+ 2002-08-29 10:00:00 6,144 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdth3.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdurdu.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdusa.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\kbdvntc.dll
+ 2002-08-29 10:00:00 185,344 ----a-w c:\windows\SYSTEM32\DLLCACHE\thawbrkr.dll
+ 2009-03-01 20:35:56 27,656 ----a-w c:\windows\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2009-03-01 19:51:01 80,400 ----a-w c:\windows\SYSTEM32\DRIVERS\inspect.sys
- 2009-02-24 22:44:58 317,952 ----a-w c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2009-03-01 18:56:08 377,648 ----a-w c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2002-08-29 10:00:00 6,144 ----a-w c:\windows\SYSTEM32\ftlx041e.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbda1.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbda2.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbda3.dll
+ 2002-08-29 10:00:00 5,120 ----a-w c:\windows\SYSTEM32\kbdarme.dll
+ 2002-08-29 10:00:00 5,120 ----a-w c:\windows\SYSTEM32\kbdarmw.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbddiv1.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbddiv2.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdfa.dll
+ 2002-08-29 10:00:00 5,120 ----a-w c:\windows\SYSTEM32\kbdgeo.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdheb.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdindev.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdinguj.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdinhin.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdinkan.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdinmar.dll
+ 2002-08-29 10:00:00 6,144 ----a-w c:\windows\SYSTEM32\kbdinpun.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdintam.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdintel.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdsyr1.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdsyr2.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdth0.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdth1.dll
+ 2002-08-29 10:00:00 6,144 ----a-w c:\windows\SYSTEM32\kbdth2.dll
+ 2002-08-29 10:00:00 6,144 ----a-w c:\windows\SYSTEM32\kbdth3.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdurdu.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdusa.dll
+ 2002-08-29 10:00:00 5,632 ----a-w c:\windows\SYSTEM32\kbdvntc.dll
- 2005-09-01 15:34:42 1,312,392 ----a-w c:\windows\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 02:15:28 3,771,296 ----a-w c:\windows\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 02:15:30 240,544 ----a-w c:\windows\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-03-01 20:38:15 84,661 ----a-w c:\windows\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
+ 2002-08-29 10:00:00 185,344 ----a-w c:\windows\SYSTEM32\Thawbrkr.dll
+ 2009-03-02 17:26:55 16,384 ----atw c:\windows\temp\Perflib_Perfdata_198.dat
+ 2006-12-02 05:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"IncrediMail "= "c:\program files\IncrediMail\bin\IncMail.exe" [2008-07-24 243072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher "= "c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"DVDSentry "= "c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"dla "= "c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-02-27 148888]
"COMODO Internet Security "= "c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-03-01 1851128]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-01 1601304]
"Logitech Utility "= "Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-01 15:36 10520 c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 20:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-06-11 17:32 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RDSessMgr "=3 (0x3)
"FastUserSwitchingCompatibility "=3 (0x3)
"ERSvc "=2 (0x2)
"SCardSvr "=3 (0x3)
"mnmsrvc "=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe "=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe "=
"c:\\Program Files\\Atari\\Scrabble Complete\\ScrabbleComplete.exe "=
"c:\\WINDOWS\\SYSTEM32\\dplaysvr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe "=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe "=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe "=
"c:\\Program Files\\Magentic\\bin\\MgImp.exe "=
"c:\\Program Files\\Magentic\\bin\\Magentic.exe "=
"c:\\Program Files\\Magentic\\bin\\MgApp.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [2009-02-27 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-03-01 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2009-03-01 107272]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdguard.sys [2009-03-01 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [2009-03-01 24336]
S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys --> c:\windows\system32\drivers\MA763004.sys [?]
S3 SynasUSB;SynasUSB;c:\windows\SYSTEM32\DRIVERS\synasUSB.sys [2006-10-17 16896]

--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - avg8wd
*Deregistered* - Browser
*Deregistered* - cmdAgent
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fax
*Deregistered* - helpsvc
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - w32time
*Deregistered* - WebClient
*Deregistered* - WinDefend
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ebay.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\STAN\Application Data\Mozilla\Firefox\Profiles\ipwr437o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ebay.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 14:02:22
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(3808)
c:\windows\system32\guard32.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
.
Completion time: 2009-03-02 14:07:19
ComboFix-quarantined-files.txt 2009-03-02 19:07:12
ComboFix2.txt 2009-03-01 04:52:05
ComboFix3.txt 2009-03-01 02:42:44
ComboFix4.txt 2009-02-27 18:31:33

Pre-Run: 23,484,354,560 bytes free
Post-Run: 23,483,195,392 bytes free

300 --- E O F --- 2009-02-27 15:13:08


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:30 PM, on 3/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\STAN\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 5126 bytes

 

Welcome back

I see COMODO Internet Security and AVG8 on the computer now.
Let's make sure you only have 1 antivirus and 1 Firewall on here or you'll run into conflict issues......not to mention the resources two antivirus would use.

How's the computer now?

 

It is running a little slow?
I thought COMODO was my firewall and AVG8 was antivirus.
I have disabled windows firewall and defender.
Which programs use the least resources?
I may need to also upgrade ram. I belive I am at 256.

Have the suspicious files on the desktop been taken care of?

 

Surprised SP3 downloaded and runs having such a small amount of ram.

~~~~~~~~~~~~~~~~~~~~~~~
Panda returned saying the below file is infected. It's odd saying it's located on desktop?
C:\Documents and Settings\STAN\Desktop\a.exe <--you know what this is?
Did you delete the file?

I've seen good feed back concerning
Online Armor Free - Firewall
http://www.tallemu.com/free-firewall-prote...n-software.html



**
Let me see if we can reduce a few startup items, I do think your main problem now is low ram.

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
(Anti-spyware from Dell. Seems that after Dell found out certain applications being installed from DVD's would report back information about what customers were watching, they decided to implement an anti-spyware service. Run manually before installation starts(Not necessary)

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \ "C:\Program Files\Java\jre6\bin\jusched.exe\ "
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
(Not required - often infrequently used tasks that can be started manually, if necessary)


Reboot the computer to set the registry.



Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below




Post back once more and let me know if reducing start ups helped.

 

C:\Documents and Settings\STAN\Desktop\a.exe <--you know what this is?
Should I delete this file?

O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
(Not required - often infrequently used tasks that can be started manually, if necessary)
IS this important to our email? THis is the program my wife uses...

 

Yes, please locate and delete the file.

Disabling this IncrediMail at startup should have no effect when using your email.


I think your good to go, good job!


Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

 

THanks Again


Should I replace comodo w/free armour

 

I'll leave that up to you, to experiment and see if it frees up any resources.

If you don't like Online Armour, switch back.

 

Can't clean out Trojan Horse Agent.BBBC

Just did cleaning and still have AVG showing Trojan Horse in C:/system volume information_restore. AVG cleaned twice but seems to keep coming back.

 

Example below
http://www.forospyware.com/images/adv/CF_Cleanup.png

Make sure you follow through with this step, it will clean system restore.




Also, your original thread had not been closed, just marked resolved.
You should had come back to that topic to comment.

 

Combofix cleanup had been done. When I try again it shows that combofix not installed. Ran AVG today and it showed no threat so I guess I'm ok. Does show tracking cookies. Is there a way to not allow them or are they harmless?

 

Cookies are generally harmless.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.




Returning cookies are not a problem and nothing to worry about. These tracking cookies are present on certain sites you visit, even good sites.
Read here what cookies are:
http://www.microsoft.com/info/cookies.mspx
An easy way to get rid of cookies is:

1. Start Internet Explorer.
2. On the Tools menu, click Internet Options, and then click the General tab.
3. In the Temporary Internet Files section, click Delete Cookies..., click OK, and then click OK again.

You can also use CookieWall:
http://www.analogx.com/contents/download/network/cookie.htm
http://www.analogx.com/contents/download/network/cookie.htm
This program will let you decide what cookies to allow and what cookies to deny.

Another good and suggested free program to prevent cookies:


Install and Update SpywareBlaster
http://www.javacoolsoftware.com/spywareblaster.html

Follow the tutorial
SpywareBlaster tutorial:
http://www.bleepingcomputer.com/tutorials/tutorial49.html



Make sure both of these boxes are checked in SpywareBlaster....
"prevent the installation of ActiveX- etc "
"prevent ad/tracking cookies "

 

THnaks again Juliet....My computer is runnning poorly very slow even after getting cleaned up. Startup takes forever also. Probably the addition of antivirus. i've only got 256 ram so probably need upgrade or maybe new computer..It runs non stop for business. Thanks Again..

 

In previous replies

This is the problem.
The software packages on the machine such as SP3, antivirus, firewall, are large programs known to need ample resources.
The best thing you can do for your machine is to update the amount of Ram/memory you have available on the computer.