Trojan horse found on computer.Please help.

Re: Trojan horse found on computer.Please help.

Unread postby Hiwatt » September 22nd, 2008, 10:42 am

Hi Scotty,why do you want me to register here?What technical assistance do you think I need?Thanks.
Re: Trojan horse found on computer.Please help.

Unread postby Scotty » September 22nd, 2008, 5:44 pm


You said the computer is still sluggish. As it doesnt appear to be a malware problem, you will get technical help to get it back up to speed. This forum only deals with malware issues.
Re: Trojan horse found on computer.Please help.

Unread postby Hiwatt » September 22nd, 2008, 6:59 pm

Hi Scotty,everything else is fine with the computer.Comodo boclean found a trojan which it deleted immediately.After this I scanned straight away with spybot and it found
180Solutions.SearchAssistant 1 entry
Abetterinternet 1 entry
Xpreload 1 entry
BestSearch.scvhost 4 entries
CoolWWWsearch 1 entry
CoolWWWsearchbadzonemap 10 entries
coolWWWsearch.WinRes 1 enrty
Mediamotor 3entries
sgrunt 1 entry
smitfraud-c 5 entries
TNS-search 5 entries
My spybot scans have always came up clean before this and the computer was fine before.My immunziations in spywareblaster and spybot had also been disabled and things haven't been right since.Is there nothing more you can do to help me?
Re: Trojan horse found on computer.Please help.

Unread postby Scotty » September 23rd, 2008, 6:24 pm


There is no evidence of that stuff anywhere else. We can take a closer look though.

  1. Please download random's system information tool (RSIT) and save it to your desktop.
  2. Double click on RSIT.exe to run it. RSIT will start running.
  3. Please read through the disclaimer and click on Continue.
  4. RSIT will start running. When done, 2 logs will be produced. The first one, log.txt, will be maximized, the second one, info.txt, will be minimized.
  5. Please post both logs in your next reply. 1 log per reply please.
Re: Trojan horse found on computer.Please help.

Unread postby Hiwatt » September 24th, 2008, 5:02 am

Thanks Scotty.Here are the two logs.

Logfile of random's system information tool 1.02 (written by random/random)
Run by Default at 2008-09-24 09:58:29
Microsoft Windows XP Professional Service Pack 3
System drive C: has 48 GB (61%) free of 78 GB
Total RAM: 255 MB (5% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:59:21, on 24/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Default\Desktop\RSIT.exe
C:\Documents and Settings\Default\Desktop\Default.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

End of file - 5185 bytes

======Scheduled tasks folder======


======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

"COMODO Firewall Pro"=C:\Program Files\Comodo\Firewall\CPF.exe [2008-03-07 1115728]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]
"SpywareTerminator"=C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe [2008-08-27 1783808]
"BOC-427"=C:\PROGRA~1\Comodo\CBOClean\BOC427.exe [2008-07-14 351480]

"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2007-04-19 294912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]


"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]




"C:\Documents and Settings\Default\Desktop\utorrent.exe"="C:\Documents and Settings\Default\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Documents and Settings\Default\Desktop\utorrent(2).exe"="C:\Documents and Settings\Default\Desktop\utorrent(2).exe:*:Enabled:µTorrent"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.txt - open - C:\WINDOWS\NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2008-09-24 09:58:29 ----DC---- C:\rsit
2008-09-22 22:27:29 ----D---- C:\Program Files\Avira
2008-09-22 22:27:29 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2008-09-18 12:23:24 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-09-18 12:22:47 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-09-18 11:51:39 ----D---- C:\WINDOWS\Prefetch
2008-09-18 11:48:51 ----HDC---- C:\WINDOWS\$NtUninstallKB950759$
2008-09-18 11:48:08 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-18 11:42:23 ----D---- C:\Program Files\Messenger
2008-09-18 11:41:52 ----D---- C:\WINDOWS\system32\en-us
2008-09-18 11:41:51 ----D---- C:\WINDOWS\system32\scripting
2008-09-18 11:41:48 ----D---- C:\WINDOWS\l2schemas
2008-09-18 11:41:48 ----D---- C:\Program Files\msn
2008-09-18 11:41:47 ----D---- C:\WINDOWS\system32\en
2008-09-18 11:41:47 ----D---- C:\WINDOWS\system32\bits
2008-09-18 11:38:11 ----D---- C:\WINDOWS\ServicePackFiles
2008-09-18 11:35:40 ----D---- C:\WINDOWS\network diagnostic
2008-09-18 11:33:02 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-09-18 11:29:25 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-09-18 11:21:47 ----N---- C:\WINDOWS\system32\xmllite.dll
2008-09-18 11:21:44 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-09-18 11:21:43 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-09-18 11:21:40 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-09-18 11:21:40 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-09-18 11:21:31 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-09-18 11:21:31 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-09-18 11:21:24 ----N---- C:\WINDOWS\system32\spupdwxp.exe
2008-09-18 11:21:21 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2008-09-18 11:21:20 ----N---- C:\WINDOWS\system32\slserv.exe
2008-09-18 11:21:20 ----N---- C:\WINDOWS\system32\slrundll.exe
2008-09-18 11:21:20 ----N---- C:\WINDOWS\system32\slgen.dll
2008-09-18 11:21:20 ----N---- C:\WINDOWS\system32\slextspk.dll
2008-09-18 11:21:20 ----N---- C:\WINDOWS\system32\slcoinst.dll
2008-09-18 11:21:20 ----N---- C:\WINDOWS\slrundll.exe
2008-09-18 11:21:16 ----N---- C:\WINDOWS\system32\setupn.exe
2008-09-18 11:21:14 ----N---- C:\WINDOWS\system32\s3gnb.dll
2008-09-18 11:21:13 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-09-18 11:21:12 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-09-18 11:21:10 ----N---- C:\WINDOWS\system32\qutil.dll
2008-09-18 11:21:09 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-09-18 11:21:09 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-09-18 11:21:09 ----N---- C:\WINDOWS\system32\qagent.dll
2008-09-18 11:21:08 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-09-18 11:21:05 ----N---- C:\WINDOWS\system32\onex.dll
2008-09-18 11:20:56 ----N---- C:\WINDOWS\system32\napstat.exe
2008-09-18 11:20:55 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-09-18 11:20:55 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-09-18 11:20:55 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2008-09-18 11:20:55 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-09-18 11:20:54 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-09-18 11:20:52 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-09-18 11:20:52 ----N---- C:\WINDOWS\system32\mssha.dll
2008-09-18 11:20:33 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-09-18 11:20:33 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-09-18 11:20:33 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-09-18 11:20:33 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-09-18 11:20:30 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2008-09-18 11:20:19 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-09-18 11:20:18 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-09-18 11:20:18 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-09-18 11:20:18 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-09-18 11:20:18 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-09-18 11:20:18 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-09-18 11:20:08 ----N---- C:\WINDOWS\system32\smtpapi.dll
2008-09-18 11:20:07 ----N---- C:\WINDOWS\system32\rwnh.dll
2008-09-18 11:20:03 ----N---- C:\WINDOWS\system32\comsdupd.exe
2008-09-18 11:19:58 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2008-09-18 11:19:52 ----N---- C:\WINDOWS\system32\faxpatch.exe
2008-09-18 11:19:52 ----A---- C:\WINDOWS\002948_.tmp
2008-09-18 11:19:51 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-09-18 11:19:51 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-09-18 11:19:51 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-09-18 11:19:51 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-09-18 11:19:51 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-09-18 11:19:51 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-09-18 11:19:51 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-09-18 11:19:51 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-09-18 11:19:47 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-09-18 11:19:47 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-09-18 11:19:46 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-09-18 11:19:46 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-09-18 11:19:46 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-09-18 11:19:46 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-09-18 11:19:46 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-09-18 11:19:45 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-09-18 11:19:45 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-09-18 11:19:44 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-09-18 11:19:41 ----N---- C:\WINDOWS\system32\credssp.dll
2008-09-18 11:19:34 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-09-18 11:19:33 ----N---- C:\WINDOWS\system32\azroles.dll
2008-09-18 11:19:32 ----N---- C:\WINDOWS\system32\ativvaxx.dll
2008-09-18 11:19:32 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2008-09-18 11:19:32 ----N---- C:\WINDOWS\system32\ati3duag.dll
2008-09-18 11:19:32 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2008-09-18 11:19:32 ----N---- C:\WINDOWS\system32\ati2dvag.dll
2008-09-18 11:19:32 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2008-09-18 11:19:31 ----N---- C:\WINDOWS\system32\ati2cqag.dll
2008-09-18 11:19:25 ----N---- C:\WINDOWS\system32\aaclient.dll
2008-09-10 10:28:58 ----HDC---- C:\WINDOWS\$NtUninstallKB938464_0$
2008-09-09 13:07:23 ----D---- C:\WINDOWS\system32\Macromed
2008-08-29 11:08:58 ----D---- C:\Documents and Settings\All Users\Application Data\BOC427
2008-08-29 11:08:54 ----A---- C:\WINDOWS\BOC427.INI
2008-08-27 11:52:37 ----D---- C:\WINDOWS\Sun

======List of files/folders modified in the last 1 months======

2008-09-24 09:58:54 ----D---- C:\WINDOWS\TEMP
2008-09-24 09:52:40 ----D---- C:\Program Files\Mozilla Firefox
2008-09-24 09:45:16 ----D---- C:\WINDOWS
2008-09-23 16:24:45 ----D---- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-09-23 16:24:26 ----D---- C:\Documents and Settings\Default\Application Data\Spyware Terminator
2008-09-23 10:17:21 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-09-23 10:15:17 ----D---- C:\WINDOWS\system32\CatRoot2
2008-09-23 09:15:08 ----D---- C:\Program Files\RegScrubXP
2008-09-23 09:12:44 ----SHC---- C:\boot.ini
2008-09-23 09:12:44 ----AC---- C:\WINDOWS\win.ini
2008-09-23 09:12:44 ----AC---- C:\WINDOWS\system.ini
2008-09-23 01:41:20 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-22 22:27:35 ----D---- C:\WINDOWS\system32\drivers
2008-09-22 22:27:29 ----RAD---- C:\Program Files
2008-09-22 22:13:08 ----D---- C:\WINDOWS\system32
2008-09-22 12:45:13 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-22 12:45:10 ----D---- C:\Program Files\SpywareBlaster
2008-09-19 10:52:37 ----D---- C:\Documents and Settings\Default\Application Data\Auslogics
2008-09-19 10:52:25 ----D---- C:\Program Files\Auslogics
2008-09-19 10:39:39 ----AC---- C:\WINDOWS\NeroDigital.ini
2008-09-18 13:47:20 ----D---- C:\WINDOWS\system32\config
2008-09-18 12:23:30 ----HD---- C:\WINDOWS\inf
2008-09-18 12:23:20 ----HD---- C:\WINDOWS\$hf_mig$
2008-09-18 12:22:54 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-09-18 12:14:51 ----D---- C:\WINDOWS\Debug
2008-09-18 12:08:41 ----D---- C:\WINDOWS\system32\CatRoot
2008-09-18 11:55:02 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-09-18 11:54:51 ----SHDC---- C:\Config.Msi
2008-09-18 11:54:51 ----SHD---- C:\WINDOWS\Installer
2008-09-18 11:51:08 ----D---- C:\WINDOWS\system32\wbem
2008-09-18 11:51:08 ----D---- C:\WINDOWS\system32\Setup
2008-09-18 11:51:08 ----D---- C:\WINDOWS\AppPatch
2008-09-18 11:51:08 ----D---- C:\Program Files\Internet Explorer
2008-09-18 11:51:07 ----RSD---- C:\WINDOWS\Fonts
2008-09-18 11:47:44 ----D---- C:\WINDOWS\security
2008-09-18 11:42:30 ----D---- C:\WINDOWS\WinSxS
2008-09-18 11:42:09 ----D---- C:\WINDOWS\system32\inetsrv
2008-09-18 11:42:09 ----D---- C:\WINDOWS\ime
2008-09-18 11:42:09 ----D---- C:\WINDOWS\Help
2008-09-18 11:41:52 ----D---- C:\WINDOWS\system32\usmt
2008-09-18 11:41:47 ----D---- C:\WINDOWS\PeerNet
2008-09-18 11:41:47 ----D---- C:\Program Files\Movie Maker
2008-09-18 11:37:59 ----D---- C:\WINDOWS\system32\Restore
2008-09-18 11:37:59 ----D---- C:\WINDOWS\system32\npp
2008-09-18 11:37:59 ----D---- C:\WINDOWS\mui
2008-09-18 11:37:58 ----D---- C:\WINDOWS\msagent
2008-09-18 11:37:56 ----D---- C:\WINDOWS\srchasst
2008-09-18 11:37:55 ----D---- C:\Program Files\NetMeeting
2008-09-18 11:37:54 ----D---- C:\WINDOWS\system32\Com
2008-09-18 11:37:51 ----D---- C:\Program Files\Windows Media Player
2008-09-18 11:37:51 ----D---- C:\Program Files\Outlook Express
2008-09-18 11:37:47 ----D---- C:\Program Files\Common Files\System
2008-09-18 11:37:26 ----D---- C:\WINDOWS\system32\oobe
2008-09-18 11:37:24 ----D---- C:\WINDOWS\system
2008-09-18 11:28:49 ----D---- C:\WINDOWS\ehome
2008-09-15 17:06:07 ----SHDC---- C:\System Volume Information
2008-09-15 14:52:28 ----D---- C:\Program Files\EsetOnlineScanner
2008-09-12 10:08:41 ----D---- C:\WINDOWS\BDOSCAN8
2008-09-11 16:38:10 ----D---- C:\Program Files\Spyware Terminator
2008-09-11 10:00:03 ----D---- C:\Documents and Settings\Default\Application Data\uTorrent
2008-09-10 17:40:27 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-10 16:55:25 ----D---- C:\Documents and Settings\Default\Application Data\CyberLink
2008-08-30 10:53:15 ----D---- C:\Documents and Settings\Default\Application Data\Mozilla
2008-08-29 11:08:51 ----D---- C:\Program Files\Comodo
2008-08-26 21:28:12 ----AC---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-06-27 75072]
R1 CmdMon;Comodo Application Engine; C:\WINDOWS\System32\DRIVERS\cmdmon.sys [2008-03-07 75520]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 Aspi32;Aspi32; C:\WINDOWS\System32\drivers\aspi32.sys [2004-07-16 16512]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-04-19 2317504]
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 BOCDRIVE;BOClean Kernel Monitor.; \??\C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2005-02-02 14408]
R3 ip100xp;IC Plus IP100 10/100 Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\ipfnd51.sys [2005-02-02 26752]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-12-24 1897408]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S1 Klif;Klif; \??\C:\WINDOWS\system32\Drivers\klif.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 TSP;TSP; \??\C:\WINDOWS\system32\drivers\klif.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-06-12 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-08-07 149761]
R2 BOCore;BOCore; C:\Program Files\Comodo\CBOClean\BOCORE.exe [2008-07-14 73464]
R2 CmdAgent;Comodo Application Agent; C:\Program Files\Comodo\Firewall\cmdagent.exe [2008-03-07 361040]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2008-08-27 570880]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2002-12-31 89136]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]


info.txt logfile of random's system information tool 1.02 2008-09-24 09:59:27

======Uninstall list======

-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0906B442-D0EC-4FE2-B666-95C82EF8B8A6}
-->C:\PROGRA~1\ntl\BROADB~1\Uninstall.exe ntl
-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Audacity 1.2.4-->"C:\Program Files\Audacity\unins000.exe"
AusLogics Disk Defrag-->"C:\Program Files\Auslogics\AusLogics Disk Defrag\unins000.exe"
AusLogics Registry Defrag-->"C:\Program Files\Auslogics\AusLogics Registry Defrag\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
broadband medic-->C:\WINDOWS\Motive\ntl\MCCUninst.exe
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
COMODO Firewall Pro-->C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
ESET Online Scanner-->C:\WINDOWS\system32\OnlineScannerUninstaller.exe
FLAC Installer 1.1.2a (remove only)-->C:\Program Files\FLAC\uninstall.exe
Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Glary Utilities 2.6-->"C:\Program Files\Glary Utilities\unins000.exe"
HijackThis 2.0.2-->"C:\Documents and Settings\Default\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Kaspersky Online Scanner-->C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (3.0.1)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSConfig CleanUp 1.2-->"C:\Program Files\MSConfig CleanUp\UninsHs.exe"
Nero Suite-->C:\Program Files\Common Files\Nero\Uninstall\setup.exe /uninstall ExtraUninstallID=""
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
RegScrubXP 3.25-->"C:\Program Files\RegScrubXP\unins000.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Terminator-->"C:\Program Files\Spyware Terminator\unins000.exe"
SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Hosts File====== www.007guard.com 007guard.com 008i.com www.008k.com 008k.com www.00hq.com 00hq.com 010402.com www.032439.com 032439.com

======Security center information======

AV: Avira AntiVir PersonalEdition
FW: COMODO Firewall Pro

======Environment variables======

"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 44 Stepping 2, AuthenticAMD

Re: Trojan horse found on computer.Please help.

Unread postby Scotty » September 27th, 2008, 7:15 am


Sorry for the delay.

I still see nothing bad there. Apart from Spybots findings, is there any other symptoms, like pop-ups? If you were as infected as all that, you would have plenty of those.

Which version of Spybot do you have, by the way?
Re: Trojan horse found on computer.Please help.

Unread postby Hiwatt » September 27th, 2008, 8:25 am

Hi Scotty,No problem.I have the latest version of spybot(1.6.0)The only visible difference I've noticed since comodo found then deleted this trojan is the computer is a lot slower(a bit erratic) and opening programs and the like takes a lot longer than before.I'm not getting any pop ups or anything no.I had scanned the day before with spybot though and it found nothing.Something did disable my spyware blaster and spybot protection though.
Re: Trojan horse found on computer.Please help.

Unread postby Scotty » September 27th, 2008, 7:42 pm

Lets try this

Please download and install IceSword

IceSword is in compressed RAR file format so you will need a utility like WinRar or the open source 7-Zip to extract it
Download and extract 7-Zip

The use 7-Zip to exract IceSword to C:\Program Files\IceSword

Once IceSword is extracted, with all browser and Explorer windows closed, run IceSword
  • Once IceSword is open, click the Win32 Service Function on the left Menu Bar
    If any red entries are found, click the blue Log Tab at the top of the screen and save the log to documents folder as service-list.txt.
  • Now, Click IceSword's Process Function on the left Menu Bar
    If any red entries are found, click the blue Log tab at the top of the screen and save the log to documents folder as processlist.txt.
Re: Trojan horse found on computer.Please help.

Unread postby Hiwatt » September 29th, 2008, 5:01 am

Hi Scotty,I ran IceSword.exe and it didn't find any red entries in win32 or process that I could see.Where would they show as being red?
Re: Trojan horse found on computer.Please help.

Unread postby Scotty » September 30th, 2008, 1:55 pm


No red entries mean nothing to worry about. Ive exhausted all avenues now, there does not appear to be any malware on your computer now, and you should follow my directions for technical advice.
Re: Trojan horse found on computer.Please help.

Unread postby Hiwatt » October 1st, 2008, 5:30 am

Hi Scotty,ok thanks.Does that mean that spybot has completely cleaned all the stuff it found?Can you see any evidence of the computer having been infected atall?The original trojan that was found was called PSWTool.RAS if that's any help.What would your advice be now then?Thankyou very much for helping me,it's much appreciated.
Re: Trojan horse found on computer.Please help.

Unread postby Scotty » October 1st, 2008, 5:35 pm


Im still not convinced Spybot found all that stuff, you would know about it for sure. All the scans we have done have come up clean, so to get the speed back, follow my advice to post at Whatthetech.
Re: Trojan horse found on computer.Please help.

Unread postby Hiwatt » October 1st, 2008, 5:47 pm

Hi scotty,it did find it and "fixed it" infact if I go into spybot's recovery they are still listed.I can take a screen cap if you like?Or is there a way to save a log from the recovery of spybot?I'm not sure what you think whatthetech can do for me as I defrag regulary,run ccleaner and stuff and keep my anti virus and spyware fully up to date?Thanks.
Re: Trojan horse found on computer.Please help.

Unread postby Scotty » October 6th, 2008, 6:50 pm


Ok Lets try this

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once Recovery Console is installed, you should see a blue screen prompt like the one below:


Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced. Please post that log and a new HijackThis log in your next reply.

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

In your next reply post:
New HijackThis log taken after the above scan has run
Re: Trojan horse found on computer.Please help.

Unread postby Hiwatt » October 7th, 2008, 7:24 am

Hi Scotty
That's looks a bit complicated to me,I think I have the windows recovery console installed already and I couldn't see a link to download combofix.I've included a screenshot of what spybot found from spybot's recovery.
You do not have the required permissions to view the files attached to this post.
