Antivirus2009 browser redirection (stops dl's/updates)

There are a lot of instructions on the net on removal of AV2009. I have had trouble following the suggestions on the surface because installing malwarebytes requires updating the definition and this is impossible because all downloads and updates are redirected and killed. I have gotten rid of the actual AV2009 program, but I believe the rootkit and trojans are still there.

Also, after installing Mbam (even in Safe Mode w/ networking) the program will spawn a new process, but the process will not do anything. Multiple instances of the program can be begun, but they will not have any visible effect, and will not use CPU.

***Q: How can I fix the browser, or DNS, redirection that is happening so I can install Malwarebytes?

 

I have run Malwarebytes and Superantispyware here is my HJT log. Things seem to be gone, except for those things in O15.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:45:13, on 12/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: (no name) - {223F5EAB-7CF8-4759-9A84-C028D349A5A1} - C:\WINDOWS\system32\byXPHwUl.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O20 - AppInit_DLLs: karna.dat qqktpn.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: lmab_device - Lexmark International, Inc. - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4115 bytes


Thank!

 

Have I asked my questions wrong?

Would someone tell me if I am still infected by AV2009 or vundo, or that other trojan that was on.

Is there likely a hidden rootkit still?

I ask because there are still a couple things that won't connect. But 'tdssserv.exe' seems to be gone. It isn't in the device list at least.

Thanks

 

Everything seems fixed, but some connections aren't being made. Specifically connections made from a certain program. I ran combofix just in case and this is the log.
Please look it over and tell me if there is anything in line with a vundo or AntiVirus2009 infection.

BTW, tdssserv.exe seems to effect even safe mode w/ networking.

ComboFix 09-01-05.05 - Administrator 2009-01-06 15:35:41.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.799 [GMT -6:00]
Running from: c:\documents and settings\Administrator\desktop\CmbFx.exe
Command switches used :: /KillAll
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
FW: Sophos Client Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\samson bahta\Application Data\FunWebProducts
c:\documents and settings\samson berhe\Application Data\FunWebProducts
c:\documents and settings\samson berhe\Cookies\cojekoh.pif
c:\documents and settings\samson berhe\Cookies\utyto.lib
c:\documents and settings\samson berhe\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\samson berhe\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\samson berhe\Local Settings\Temporary Internet Files\equji._dl
c:\documents and settings\samson berhe\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\samson berhe\Local Settings\Temporary Internet Files\paze._dl
c:\documents and settings\samson berhe\Local Settings\Temporary Internet Files\ramasyp._dl
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\PRE45
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\lgfwufud.ini
c:\windows\system32\o4Patch.exe
c:\windows\system32\qiuowdwx.ini
c:\windows\system32\rrweyhyb.ini
c:\windows\system32\rvhrxwqr.ini
c:\windows\system32\SrchSTS.exe
c:\windows\system32\sX3i19
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\system32\xlxpviib.ini
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-02 16:24 . 2006-10-05 03:31 79,872 --a------ c:\windows\system32\msxml6r.dll
2009-01-02 16:22 . 2008-08-14 04:00 2,180,352 --a------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-02 16:20 . 2004-08-04 05:00 2,940,928 --a------ c:\windows\system32\wmploc.dll
2009-01-02 12:16 . 2006-12-29 00:31 19,569 --a------ c:\windows\002852_.tmp
2009-01-02 12:14 . 2008-10-03 04:15 247,326 --a------ c:\windows\system32\strmdll.dll
2009-01-02 12:14 . 2008-10-03 04:15 247,326 --a------ c:\windows\system32\dllcache\strmdll.dll
2009-01-02 12:09 . 2009-01-02 12:10 <DIR> d-------- C:\5dd7059179909890ab85db9c3539
2009-01-02 12:04 . 2006-12-29 00:31 19,569 --a------ c:\windows\002854_.tmp
2009-01-02 11:51 . 2009-01-02 11:59 <DIR> d-------- C:\a54093a308c0d73e554fb364041c
2008-12-30 17:25 . 2009-01-02 16:37 <DIR> d-------- c:\windows\system32\scripting
2008-12-30 17:25 . 2009-01-02 16:37 <DIR> d-------- c:\windows\system32\en
2008-12-30 17:25 . 2009-01-05 15:13 <DIR> d-------- c:\windows\system32\bits
2008-12-30 17:25 . 2009-01-02 16:37 <DIR> d-------- c:\windows\l2schemas
2008-12-30 17:20 . 2007-08-10 19:46 33,656 --a------ c:\windows\system32\sprecovr.exe
2008-12-30 17:20 . 2006-12-29 00:31 19,569 --a------ c:\windows\002853_.tmp
2008-12-30 17:12 . 2008-12-30 17:14 <DIR> d-------- C:\cb17e9f6220ad90f8f784c52
2008-12-30 16:02 . 2008-10-16 14:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-12-30 16:02 . 2007-04-17 03:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-30 16:02 . 2007-03-07 23:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-30 16:02 . 2008-10-16 14:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-30 16:02 . 2008-10-16 14:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-30 16:02 . 2008-10-16 14:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-12-30 16:02 . 2008-10-16 14:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-12-30 16:02 . 2008-10-16 14:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-30 16:02 . 2008-10-16 07:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-30 15:58 . 2007-08-13 18:54 33,792 --a------ c:\windows\system32\dllcache\custsat.dll
2008-12-30 15:50 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-30 15:42 . 2008-12-30 15:42 <DIR> d-------- c:\program files\Trend Micro
2008-12-29 17:17 . 2008-12-29 17:17 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-29 17:17 . 2008-12-29 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-29 17:17 . 2008-12-29 17:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-29 14:23 . 2008-12-29 14:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-22 14:53 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-22 14:50 . 2009-01-05 16:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 14:50 . 2008-12-22 14:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 14:50 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 14:50 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 17:10 . 2008-12-12 17:10 <DIR> d-------- c:\program files\ESET
2008-12-12 17:10 . 2008-12-12 17:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-12-12 16:23 . 2008-12-12 16:23 <DIR> d--h----- c:\windows\PIF
2008-12-12 16:16 . 2008-12-12 16:16 <DIR> d-------- C:\escwsa
2008-12-12 16:15 . 2008-12-12 16:41 <DIR> d-------- c:\program files\Sophos
2008-12-12 15:58 . 2008-12-12 15:59 <DIR> d-------- C:\pmex_30
2008-12-12 15:57 . 2008-12-12 15:57 <DIR> d-------- C:\scscc20
2008-12-10 15:56 . 2008-12-12 15:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 21:46 --------- d-----w c:\program files\Yahoo!
2009-01-02 21:46 --------- d-----w c:\program files\Google
2008-12-29 23:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-29 23:22 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-29 21:33 --------- d-----w c:\documents and settings\samson berhe\Application Data\Twain
2008-12-16 19:42 --------- d-----w c:\documents and settings\samson berhe\Application Data\Move Networks
2008-12-12 22:50 --------- d-----w c:\program files\Windows Defender
2008-11-21 21:06 --------- d-----w c:\program files\Lavasoft
2008-11-13 19:36 502 ----a-w c:\documents and settings\samson berhe\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"= "c:\windows\system32\ieframe.dll" [2008-10-16 6066176]

[HKEY_CLASSES_ROOT\clsid\{cfbfae00-17a6-11d0-99cb-00c04fd64497}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2008-10-16 233472]
"UPnPMonitor"= {e57ce738-33e8-4c51-8354-bb4de9d215d1} - c:\windows\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 09:51 24638 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat qqktpn.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CONNECT to Main Computer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CONNECT to Main Computer.lnk
backup=c:\windows\pss\CONNECT to Main Computer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^INTERNET for BestRxWin.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\INTERNET for BestRxWin.lnk
backup=c:\windows\pss\INTERNET for BestRxWin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pervasive.SQL Workgroup Engine.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workgroup Engine.lnk
backup=c:\windows\pss\Pervasive.SQL Workgroup Engine.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-04-25 08:50 139264 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-02-24 14:32 5537792 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 14:57 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 17:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-02-24 14:32 1495040 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-23 00:20 339968 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Iap"=2 (0x2)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\PVSW\\Bin\\w3dbsmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 cIhcsr;cIhcsr;c:\windows\system32\drivers\xnlckrma.sys --> c:\windows\system32\drivers\xnlckrma.sys [?]
S0 qrbsblf;qrbsblf;c:\windows\system32\drivers\zarftpx.sys --> c:\windows\system32\drivers\zarftpx.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\24.tmp --> c:\windows\system32\24.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{223F5EAB-7CF8-4759-9A84-C028D349A5A1} - c:\windows\system32\byXPHwUl.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
Notify-dimsntfy - (no file)
MSConfigStartUp-9820d111 - c:\windows\system32\bdxjbald.dll
MSConfigStartUp-Antivirus Pro 2009 - c:\program files\AntivirusPro2009\AntivirusPro2009.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-AVG7_Run - c:\progra~1\Grisoft\AVG7\avgw.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-GetPack24 - c:\program files\GetPack\GetPack24.exe
MSConfigStartUp-iesvcmon - c:\windows\system32\iesvcmon.exe
MSConfigStartUp-My Web Search Bar - c:\progra~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-prunnet - c:\windows\system32\prun.exe
MSConfigStartUp-qejodqcucpp - c:\windows\system32\efpoynparvh.dll
MSConfigStartUp-SfKg6wIP - c:\documents and settings\samson berhe\Application Data\Microsoft\Windows\vxfkm.exe
MSConfigStartUp-SpeedRunner - c:\documents and settings\samson berhe\Application Data\SpeedRunner\SpeedRunner.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-Twain - c:\documents and settings\samson berhe\Application Data\Twain\Twain.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: {{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\msdaipp.dll
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\msdaipp.dll
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\msdaipp.dll
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\msdaipp.dll
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\msdaipp.dll
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\msdaipp.dll
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\msdaipp.dll
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 15:39:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\24.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2009-01-06 15:42:27 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2009-01-06 21:42:25

Pre-Run: 141,766,017,024 bytes free
Post-Run: 141,113,614,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

270 --- E O F --- 2009-01-05 22:02:45