Trojan present on system

[Auguss]

Someone farther up said delete those, they are not necessary to run for the control panels but the hardware ie extra set of speakers may not work properly if you do not run those files, sometimes ATI makes a SoundCard/Video Card Combo not running them may also reduce quality of picture.

 

[momok]

All your logs are pretty clean already. As for these HijackThis entries:

O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)

belongs to Symantec Intrusion Prevention

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

belongs to Windows Live Messenger

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -

belongs to trend micro house call

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -

is a Download Manager for Symantec products

You realise that they are actually fine. Some display (no file) commonly in many HijackThis logs - I believe its a bug. Some, like the O16s, are there because you've installed them. In any case, they are all legit. I've fixed the two bad ones, fin42u and tuvVPfeE, so basically you're good to go.

Run through my previous system restore cleaning instructions. =)

 

[rf6647]

Two observations / issues concerning this problem

Concerning the HJT tool, what really happens for HJT Fix Check for O20 entries ? It appears that the effect is to IGNORE.

What is the hidden power of "Winlogon Notify"? I do not see SAS in the process list. There is a burst screen at Startup. It does appear in the notification area of the task bar.

How did the malware apparently suppress legit O16 entries?

Before HJT Fix Check
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

After HJT Fix Check AND before ComboFix script applied
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fin42u]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvVPfeE]

After ComboFix script applied
No longer being suppressed?
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -

O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

I assume user action is needed to delete the offending files:
fin42u - C:\WINDOWS\ ; tuvVPfeE - C:\WINDOWS

If these files do not exist, then I fail to see how the re-infection occurred.

 

[momok]

Sometimes HijackThis is not the best removal tool for certain infections and certain entries. It really depends on the infection and how that part of the system was infected.

For example, O23 entries almost always need user action to disable the service before fixing in HJT.

Please see more here -> http://www.bleepingcomputer.com/tutorials/tutorial42.html#O23Diag

 

[Manjit]

Could somebody have a look at the attached logs.

The above stuff on:
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

Has left me rather confused. Do those files need to be deleated because they are infected? Or am I good to go?

 

[rf6647]

Obtain updates for MBAM & SAS.
Repeat the scans.

Something brought back the O20 entries. We need to find the source.

 

[momok]

I'm suspecting a rootkit.
Could you run Panda Antirootkit from here?
Post back with your results.

Also as rf6647 mentioned, update your programs and repeat your scans.

 

[Manjit]

Here are the logs requested.

AntiRootkit showed that their were no problems. I did an advanced scan as well.

 

[momok]

Hmm.. its interesting to note that Mbam detects the registry infections and fixes them. However on your other logs, there are no signs of any infections which is perplexing.

Just to be sure, could you run Combofix (first turn off your real-time monitoring programs, such as spybot/antivirus guards) and post the log here, as well as a fresh hjt log after running combofix?

 

[Manjit]

Here are the logs requested.

 

[momok]

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

Also, please do this:
How to use Reset Internet Explorer Settings (RIES

To use RIES in Internet Explorer 7, follow these steps:

1. Click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

Note for users who cannot start Internet Explorer 7 for some reason, use RIES from Internet Options in Control Panel.

 

[Manjit]

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

I'm presuming these files have to be deleated in HJT?

 

[momok]

Oh yes they should. sorry about that I was probably day dreaming lol

 

[Manjit]

I've deleated the above mentioned files, should I post another HJT log?

I've also reset the Internet Explorer settings. On the security and privacy settings what should they be?

Thanks for all your help.

 

[momok]

It should be fine.

The settings are usually left up to user preference. If it helps at all, my IE settings are medium high for security and medium for privacy.