Trojan virus infection

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

Trojan virus infection Do not know how to remove

#1 hcbarber

New Member

Group: Members
Posts: 12
Joined: 02-June 09

Posted 02 June 2009 - 02:32 PM

I have a trojan virus in my computer. I have used AVG 8.5 which detected the virus named pws mapper and AVG could not remove the virus. I purchased ad aware and upgraded to ad aware anniversary edition, which detects the virus, but
cannot remove it. I contacted lavasoft about the virus and after trying to use ad aware in safe mode, the virus will not go away. Lavasoft recommended that I use a forum to get help removing the virus. I am not sure what the virus is called, but whenever searching the internet, everything is redirected. I am not very skilled on the computer, so I have tried to follow your preparation guide in preparing this post. I need help getting rid of this virus.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Compaq_Owner at 14:50:54.51 on Tue 06/02/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.233 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdwareAlert] c:\program files\adwarealert\AdwareAlert.exe -boot
mRun: [VTTimer] VTTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\documents and settings\compaq_owner\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spysub~1.lnk - c:\program files\intermute\spysubtract\SpySub.exe
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: c:\windows\system32\INetHTTPFilter.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196288578156
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpySubtract Shell Extension: {fa010552-4a27-4cb1-a1bb-3e2d697f1639} - c:\program files\intermute\spysubtract\sshook.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-25 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-14 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-27 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-14 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-7 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-7 298776]
R3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [2009-1-2 98432]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]

=============== Created Last 30 ================

2009-06-02 14:26 <DIR> --dsh--- c:\documents and settings\compaq_owner\PrivacIE
2009-06-02 14:25 <DIR> --dsh--- c:\documents and settings\compaq_owner\IETldCache
2009-06-02 14:22 <DIR> --d----- c:\windows\ie8updates
2009-06-02 14:22 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-02 14:19 <DIR> -cd-h--- c:\windows\ie8
2009-05-29 18:19 <DIR> --d----- c:\program files\common files\Diskeeper Corporation
2009-05-29 18:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation
2009-05-29 18:19 <DIR> --d----- c:\program files\Diskeeper Corporation
2009-05-29 15:59 664 a------- c:\windows\system32\d3d9caps.dat
2009-05-25 22:17 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-25 21:21 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-25 21:08 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-25 21:08 <DIR> --d----- c:\program files\Lavasoft
2009-05-24 13:07 32 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-05-24 13:07 32 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-05-24 13:07 2,102,048 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-24 13:07 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-24 13:00 2,725 a------- C:\rollback.ini
2009-05-24 12:45 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-05-24 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-05-18 10:14 <DIR> --d----- c:\program files\PC Tools AntiVirus
2009-05-17 18:53 50 a------- c:\windows\system32\ssmute.ini
2009-05-17 18:53 <DIR> --d----- c:\program files\interMute
2009-05-17 18:01 1,409 a------- c:\windows\system32\tmp08A4B.FOT
2009-05-17 14:19 <DIR> --d----- c:\docume~1\compaq~1\applic~1\AdwareAlert
2009-05-16 13:09 193 a------- c:\docume~1\compaq~1\applic~1\asd.bat

==================== Find3M ====================

2009-05-29 15:57 3,888 ac------ c:\windows\viassary-hp.reg
2009-05-17 08:53 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-17 08:53 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-17 08:53 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2007-11-28 08:17 0 ac-sh--- c:\windows\sminst\HPCD.SYS
2008-08-28 21:24 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat

============= FINISH: 14:52:22.85 ===============

Attached File(s)

Attach.txt (9.82K)
Number of downloads: 7

#2 DocSatan

Bleepin' Wanna-Be

Group: Members
Posts: 2,156
Joined: 30-August 07
Gender:Male
Location:Boston, Ma.

Posted 13 June 2009 - 01:31 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

All Other Things Being Equal, The Simplest Solution Is The Best.
Anti-Spyware Scanners - Anti-Virus Scanners - Online Scanners - Firewalls
Protect Yourself and Surf More Secure

#3 hcbarber

New Member

Group: Members
Posts: 12
Joined: 02-June 09

Posted 13 June 2009 - 03:09 PM

I am still having the problem and I am posting the new DDS logs. Thanks for your help.
DDS (Ver_09-05-14.01) - NTFSx86
Run by Compaq_Owner at 16:05:25.28 on Sat 06/13/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.265 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.pif

============== Pseudo HJT Report ===============

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTimer] VTTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\documents and settings\compaq_owner\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spysub~1.lnk - c:\program files\intermute\spysubtract\SpySub.exe
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: c:\windows\system32\INetHTTPFilter.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196288578156
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpySubtract Shell Extension: {fa010552-4a27-4cb1-a1bb-3e2d697f1639} - c:\program files\intermute\spysubtract\sshook.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-25 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-14 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-27 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-14 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-7 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-7 298776]
R3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [2009-1-2 98432]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]

=============== Created Last 30 ================

2009-06-12 10:27 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Malwarebytes
2009-06-12 10:27 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 10:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-12 10:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-12 10:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-12 08:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-06-10 03:04 197 a------- c:\windows\system32\MRT.INI
2009-06-10 01:44 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 01:44 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-04 21:23 <DIR> --d----- c:\program files\iPod
2009-06-04 21:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-04 21:17 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-02 14:26 <DIR> --dsh--- c:\documents and settings\compaq_owner\PrivacIE
2009-06-02 14:25 <DIR> --dsh--- c:\documents and settings\compaq_owner\IETldCache
2009-06-02 14:22 <DIR> --d----- c:\windows\ie8updates
2009-06-02 14:22 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-02 14:19 <DIR> -cd-h--- c:\windows\ie8
2009-05-29 18:19 <DIR> --d----- c:\program files\common files\Diskeeper Corporation
2009-05-29 18:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation
2009-05-29 18:19 <DIR> --d----- c:\program files\Diskeeper Corporation
2009-05-29 15:59 664 a------- c:\windows\system32\d3d9caps.dat
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
2009-05-25 22:17 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-25 21:21 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-25 21:08 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-25 21:08 <DIR> --d----- c:\program files\Lavasoft
2009-05-24 13:07 32 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-05-24 13:07 32 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-05-24 13:07 2,102,048 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-24 13:07 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-24 13:00 2,725 a------- C:\rollback.ini
2009-05-24 12:45 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-05-24 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-05-18 10:14 <DIR> --d----- c:\program files\PC Tools AntiVirus
2009-05-17 18:53 2,158 a------- c:\windows\system32\ssmute.ini
2009-05-17 18:53 <DIR> --d----- c:\program files\interMute
2009-05-17 18:01 1,409 a------- c:\windows\system32\tmp08A4B.FOT
2009-05-16 13:09 224 a------- c:\windows\system32\UACcltksoexyluwpbo.dat

==================== Find3M ====================

2009-06-12 08:31 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-29 15:57 3,888 ac------ c:\windows\viassary-hp.reg
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-17 08:53 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-17 08:53 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2007-11-28 08:17 0 ac-sh--- c:\windows\sminst\HPCD.SYS
2008-08-28 21:24 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat

============= FINISH: 16:06:01.98 ===============

Attached File(s)

Attach_2.txt (8.42K)
Number of downloads: 7

#4 syler

Forum Addict

Group: Malware Response Team
Posts: 8,150
Joined: 07-November 07
Gender:Male
Location:Warrington, UK

Posted 14 June 2009 - 02:05 PM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:

Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
If I do not hear back from you within 5 days of my last post, then this topic will be closed.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.

We will begin with ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Next

Download RootRepeal from the following location and save it to your desktop.
Extract the contents of RootRepeal.zip, to your desktop.
Double click on your desktop.
Click on the report tab, then click scan
Check all six boxes:
Click Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.

Then please post back here with the following:

Combofix.txt
Gmer log

If I have helped you, and you would like to make a donation to me, click here

#5 hcbarber

New Member

Group: Members
Posts: 12
Joined: 02-June 09

Posted 15 June 2009 - 05:39 PM

I would like to try and fix the computer. The computer is used at home for personal uses. I have a lot of itunes that would need to be backed up, so I wanted to try and fix the computer. I installed the combofix and have the log. I downloaded rootrepeal and I get an error message of invalid PE image found, everytime I try to run the program. Please let me know what I need to do next.

Attached File(s)

combofix_log.txt (20.37K)
Number of downloads: 5

#6 hcbarber

New Member

Group: Members
Posts: 12
Joined: 02-June 09

Posted 15 June 2009 - 05:44 PM

Also, if I disconnect from the internet, how can I download the software you suggested to fix the computer? I am not very computer literate, so i am going to need help with each step of the process. Will you be able to tell if the computer is clean
when I am finished with this process? If I need to reinstall Windows, how would I go about that process? THank you for your help!

#7 syler

Forum Addict

Group: Malware Response Team
Posts: 8,150
Joined: 07-November 07
Gender:Male
Location:Warrington, UK

Posted 15 June 2009 - 05:46 PM

Try this scanner instead, also please post your logs in future rather than attaching them, unless I ask.

Thanks

We need to scan for Rootkits with GMER

Please download GMER from one of the following locations, and save it to your desktop:
- Main Mirror
  This version will download a randomly named file (Recommended)
- Zip Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
Close any and all open programs, as this process may crash your computer.
Double click on Gmer to run it.
Allow the gmer.sys driver to load if asked.
You may see a rootkit warning window, If you do, click No.
Click on and wait for the scan to finish.
If you see a rootkit warning window, click OK.
Push and save the logfile to your desktop.
Copy and Paste the contents of that file in your next post.

If I have helped you, and you would like to make a donation to me, click here

#8 syler

Forum Addict

Group: Malware Response Team
Posts: 8,150
Joined: 07-November 07
Gender:Male
Location:Warrington, UK

Posted 15 June 2009 - 05:52 PM

Quote

Also, if I disconnect from the internet, how can I download the software you suggested to fix the computer?

You obviously would have to connect to the internet when you need to download tools, you just need to try and use it as little
as possible whilst we are cleaning your computer.

Quote

I am not very computer literate, so i am going to need help with each step of the process.

No problem, just ask me if your not sure how to complete any of the steps.

Quote

Will you be able to tell if the computer is clean
when I am finished with this process? If I need to reinstall Windows, how would I go about that process? THank you for your help!

We can cross that bridge if or when we come to it and your welcome!

If I have helped you, and you would like to make a donation to me, click here

#9 hcbarber

New Member

Group: Members
Posts: 12
Joined: 02-June 09

Posted 16 June 2009 - 04:50 PM

I am posting the log from combofix and gmer. I will copy and paste the file instead of using the attachment. Please let me know, if this is not the right way to post the logs. Again, thanks for your help. I am not using the internet except to try and fix the computer.

ComboFix 09-06-15.04 - Compaq_Owner 06/15/2009 18:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.249 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll
c:\windows\system32\UACcltksoexyluwpbo.dat
c:\windows\system32\UACroldgsvmchddmwi.log
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-16 17:43:17
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF7DC887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7DC8BFE]

Code \??\C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-06-12 14:27 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-12 14:27 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 13:41 . 2009-06-02 17:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:32 . 2009-06-12 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-12 12:32 . 2009-06-12 12:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-12 12:30 . 2009-05-17 12:37 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-06-10 07:16 . 2009-06-10 07:16 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InterMute
2009-06-10 05:44 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 05:44 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-05 01:23 . 2009-06-05 01:23 -------- d-----w- c:\program files\iPod
2009-06-05 01:22 . 2009-06-05 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-05 01:17 . 2009-05-29 17:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 01:13 . 2009-06-05 01:13 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 21:33 . 2009-06-04 21:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-02 18:26 . 2009-06-02 18:26 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE
2009-06-02 18:25 . 2009-06-02 18:25 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache
2009-06-02 18:22 . 2009-06-02 18:22 -------- d-----w- c:\windows\ie8updates
2009-06-02 18:22 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-02 18:19 . 2009-06-02 18:21 -------- dc-h--w- c:\windows\ie8
2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation
2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Diskeeper Corporation
2009-05-29 19:59 . 2009-05-29 19:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-28 01:34 . 2009-05-28 01:34 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-05-28 01:34 . 2009-05-28 01:34 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-05-28 01:34 . 2009-05-28 01:34 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-28 01:34 . 2009-05-28 01:34 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-05-26 02:17 . 2009-05-28 01:34 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-26 01:20 . 2009-05-26 01:20 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-26 01:08 . 2009-05-29 20:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-26 01:08 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-26 01:08 . 2009-05-26 01:08 -------- d-----w- c:\program files\Lavasoft
2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-05-24 17:07 . 2009-05-24 19:33 2102048 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-05-24 16:43 . 2009-05-24 16:43 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations
2009-05-22 13:48 . 2009-05-22 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-22 13:43 . 2009-05-17 12:53 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-22 13:43 . 2009-05-17 12:52 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-22 13:43 . 2009-05-22 13:42 3288856 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-22 13:43 . 2009-05-17 12:52 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-22 13:43 . 2009-05-17 12:52 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-22 13:43 . 2009-05-17 12:52 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-22 13:43 . 2009-05-17 12:53 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-22 13:41 . 2009-05-22 13:41 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-22 13:41 . 2009-05-17 12:36 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-18 16:34 . 2009-05-18 16:34 34656 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-05-18 15:12 . 2009-05-18 15:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Motive
2009-05-18 14:14 . 2009-05-22 18:33 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-05-17 22:53 . 2009-05-17 22:53 -------- d-----w- c:\program files\interMute
2009-05-17 22:15 . 2009-05-22 13:44 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 12:31 . 2008-06-15 02:40 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-12 12:31 . 2009-06-12 12:33 826624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-05 01:23 . 2007-11-30 04:28 -------- d-----w- c:\program files\iTunes
2009-06-05 01:22 . 2007-11-30 04:23 -------- d-----w- c:\program files\Common Files\Apple
2009-06-05 01:19 . 2007-11-30 04:25 -------- d-----w- c:\program files\QuickTime
2009-05-29 19:57 . 2004-08-10 15:43 3888 -c--a-w- c:\windows\viassary-hp.reg
2009-05-29 17:36 . 2008-08-01 01:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-26 12:20 . 2007-11-29 15:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-24 19:58 . 2004-08-10 15:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-22 18:29 . 2009-05-16 21:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-17 18:17 . 2008-09-30 00:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks
2009-05-17 15:13 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AVGTOOLBAR
2009-05-17 12:53 . 2009-06-12 12:33 325896 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-05-17 12:53 . 2008-06-15 02:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-17 12:53 . 2008-02-28 01:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-17 12:53 . 2008-06-15 02:40 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-17 12:53 . 2009-06-12 12:33 487704 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtbapi.dll
2009-05-17 12:52 . 2009-06-12 12:33 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-17 12:52 . 2009-06-12 12:33 3401496 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-17 12:52 . 2009-06-12 12:33 1947928 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-05-17 12:52 . 2009-06-12 12:33 1217816 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfrw.exe
2009-05-17 12:52 . 2009-06-12 12:33 1205528 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-05-17 12:52 . 2009-06-12 12:33 681752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmx.dll
2009-05-17 12:52 . 2009-06-12 12:33 1262880 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-05-17 12:52 . 2009-06-12 12:33 761112 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgscanx.exe
2009-05-17 12:52 . 2009-06-12 12:33 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmax.exe
2009-05-17 12:52 . 2009-06-12 12:33 830232 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-05-16 17:37 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-13 05:15 . 2007-11-28 17:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2007-11-28 16:59 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2007-11-28 17:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2007-11-28 17:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 22:22 . 2007-11-29 15:23 34656 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-11-28 12:17 . 2007-11-28 17:30 0 -csha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-08-10 14:57 . 2003-02-12 03:02 61440 c:\hp\KBD\bak\KBD.EXE

2007-10-11 00:51 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-01-12 02:16 . 2008-01-12 02:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

2007-11-30 02:22 . 2007-12-22 16:46 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-05-30 16:30 . 2009-05-30 16:30 292136 c:\program files\iTunes\iTunesHelper.exe

2004-08-10 14:09 . 2004-08-10 14:09 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe

2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe
2009-05-26 21:18 . 2009-05-26 21:18 413696 c:\program files\QuickTime\QTTask.exe

2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\bak\RECGUARD.EXE

2004-08-10 14:24 . 1998-05-07 23:04 52736 c:\windows\system\bak\hpsysdrv.exe

2007-11-28 16:58 . 2004-08-03 19:00 15360 c:\windows\system32\bak\ctfmon.exe
2007-11-28 16:58 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2004-08-10 14:57 . 2003-09-13 03:13 98304 c:\windows\system32\bak\ps2.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 17:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-29 518488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-5-22 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-7-22 151552]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2008-8-31 229376]
SpySubtract.lnk - c:\program files\interMute\SpySubtract\SpySub.exe [2009-5-17 1183744]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= "c:\program files\interMute\SpySubtract\sshook.dll" [2009-05-17 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-17 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2009 9:21 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/14/2008 10:40 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/14/2008 10:40 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/7/2008 10:03 AM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/7/2008 10:03 AM 298776]
R3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [1/2/2009 3:34 PM 98432]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1005904]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-15 c:\windows\Tasks\Ad-Aware Scan (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21]

2009-06-15 c:\windows\Tasks\Ad-Aware Update (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21]

2009-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 18:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\JETDB28.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(720)
c:\windows\system32\WININET.dll
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\CF1345.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-15 18:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-15 22:27

Pre-Run: 15,663,968,256 bytes free
Post-Run: 16,074,891,264 bytes free

250 --- E O F --- 2009-06-10 07:08

#10 syler

Forum Addict

Group: Malware Response Team
Posts: 8,150
Joined: 07-November 07
Gender:Male
Location:Warrington, UK

Posted 16 June 2009 - 05:07 PM

Yes you have done it correct by copy and pasting it, but you have posted the Gmer log in the middle of the combofix log.
Please repost the logs correctly, first paste the combofix log then leave a couple of spaces then paste the Gmer log thanks

This post has been edited by syler: 16 June 2009 - 05:08 PM

If I have helped you, and you would like to make a donation to me, click here

#11 hcbarber

New Member

Group: Members
Posts: 12
Joined: 02-June 09

Posted 17 June 2009 - 04:04 PM

I am copying and pasting the combofix and gmer log files. Sorry, I did not realize that I had pasted them on top of each other. Thanks.

ComboFix 09-06-15.04 - Compaq_Owner 06/15/2009 18:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.249 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll
c:\windows\system32\UACcltksoexyluwpbo.dat
c:\windows\system32\UACroldgsvmchddmwi.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-06-12 14:27 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-12 14:27 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 13:41 . 2009-06-02 17:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:32 . 2009-06-12 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-12 12:32 . 2009-06-12 12:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-12 12:30 . 2009-05-17 12:37 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-06-10 07:16 . 2009-06-10 07:16 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InterMute
2009-06-10 05:44 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 05:44 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-05 01:23 . 2009-06-05 01:23 -------- d-----w- c:\program files\iPod
2009-06-05 01:22 . 2009-06-05 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-05 01:17 . 2009-05-29 17:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 01:13 . 2009-06-05 01:13 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 21:33 . 2009-06-04 21:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-02 18:26 . 2009-06-02 18:26 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE
2009-06-02 18:25 . 2009-06-02 18:25 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache
2009-06-02 18:22 . 2009-06-02 18:22 -------- d-----w- c:\windows\ie8updates
2009-06-02 18:22 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-02 18:19 . 2009-06-02 18:21 -------- dc-h--w- c:\windows\ie8
2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation
2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Diskeeper Corporation
2009-05-29 19:59 . 2009-05-29 19:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-28 01:34 . 2009-05-28 01:34 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-05-28 01:34 . 2009-05-28 01:34 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-05-28 01:34 . 2009-05-28 01:34 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-28 01:34 . 2009-05-28 01:34 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-05-26 02:17 . 2009-05-28 01:34 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-26 01:20 . 2009-05-26 01:20 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-26 01:08 . 2009-05-29 20:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-26 01:08 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-26 01:08 . 2009-05-26 01:08 -------- d-----w- c:\program files\Lavasoft
2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-05-24 17:07 . 2009-05-24 19:33 2102048 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-05-24 16:43 . 2009-05-24 16:43 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations
2009-05-22 13:48 . 2009-05-22 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-22 13:43 . 2009-05-17 12:53 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-22 13:43 . 2009-05-17 12:52 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-22 13:43 . 2009-05-22 13:42 3288856 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-22 13:43 . 2009-05-17 12:52 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-22 13:43 . 2009-05-17 12:52 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-22 13:43 . 2009-05-17 12:52 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-22 13:43 . 2009-05-17 12:53 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-22 13:41 . 2009-05-22 13:41 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-22 13:41 . 2009-05-17 12:36 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-18 16:34 . 2009-05-18 16:34 34656 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-05-18 15:12 . 2009-05-18 15:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Motive
2009-05-18 14:14 . 2009-05-22 18:33 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-05-17 22:53 . 2009-05-17 22:53 -------- d-----w- c:\program files\interMute
2009-05-17 22:15 . 2009-05-22 13:44 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 12:31 . 2008-06-15 02:40 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-12 12:31 . 2009-06-12 12:33 826624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-05 01:23 . 2007-11-30 04:28 -------- d-----w- c:\program files\iTunes
2009-06-05 01:22 . 2007-11-30 04:23 -------- d-----w- c:\program files\Common Files\Apple
2009-06-05 01:19 . 2007-11-30 04:25 -------- d-----w- c:\program files\QuickTime
2009-05-29 19:57 . 2004-08-10 15:43 3888 -c--a-w- c:\windows\viassary-hp.reg
2009-05-29 17:36 . 2008-08-01 01:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-26 12:20 . 2007-11-29 15:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-24 19:58 . 2004-08-10 15:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-22 18:29 . 2009-05-16 21:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-17 18:17 . 2008-09-30 00:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks
2009-05-17 15:13 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AVGTOOLBAR
2009-05-17 12:53 . 2009-06-12 12:33 325896 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-05-17 12:53 . 2008-06-15 02:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-17 12:53 . 2008-02-28 01:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-17 12:53 . 2008-06-15 02:40 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-17 12:53 . 2009-06-12 12:33 487704 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtbapi.dll
2009-05-17 12:52 . 2009-06-12 12:33 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-17 12:52 . 2009-06-12 12:33 3401496 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-17 12:52 . 2009-06-12 12:33 1947928 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-05-17 12:52 . 2009-06-12 12:33 1217816 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfrw.exe
2009-05-17 12:52 . 2009-06-12 12:33 1205528 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-05-17 12:52 . 2009-06-12 12:33 681752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmx.dll
2009-05-17 12:52 . 2009-06-12 12:33 1262880 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-05-17 12:52 . 2009-06-12 12:33 761112 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgscanx.exe
2009-05-17 12:52 . 2009-06-12 12:33 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmax.exe
2009-05-17 12:52 . 2009-06-12 12:33 830232 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-05-16 17:37 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-13 05:15 . 2007-11-28 17:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2007-11-28 16:59 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2007-11-28 17:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2007-11-28 17:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 22:22 . 2007-11-29 15:23 34656 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-11-28 12:17 . 2007-11-28 17:30 0 -csha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-08-10 14:57 . 2003-02-12 03:02 61440 c:\hp\KBD\bak\KBD.EXE

2007-10-11 00:51 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-01-12 02:16 . 2008-01-12 02:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

2007-11-30 02:22 . 2007-12-22 16:46 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-05-30 16:30 . 2009-05-30 16:30 292136 c:\program files\iTunes\iTunesHelper.exe

2004-08-10 14:09 . 2004-08-10 14:09 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe

2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe
2009-05-26 21:18 . 2009-05-26 21:18 413696 c:\program files\QuickTime\QTTask.exe

2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\bak\RECGUARD.EXE

2004-08-10 14:24 . 1998-05-07 23:04 52736 c:\windows\system\bak\hpsysdrv.exe

2007-11-28 16:58 . 2004-08-03 19:00 15360 c:\windows\system32\bak\ctfmon.exe
2007-11-28 16:58 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2004-08-10 14:57 . 2003-09-13 03:13 98304 c:\windows\system32\bak\ps2.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 17:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-29 518488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-5-22 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-7-22 151552]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2008-8-31 229376]
SpySubtract.lnk - c:\program files\interMute\SpySubtract\SpySub.exe [2009-5-17 1183744]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= "c:\program files\interMute\SpySubtract\sshook.dll" [2009-05-17 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-17 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2009 9:21 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/14/2008 10:40 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/14/2008 10:40 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/7/2008 10:03 AM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/7/2008 10:03 AM 298776]
R3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [1/2/2009 3:34 PM 98432]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1005904]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-15 c:\windows\Tasks\Ad-Aware Scan (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21]

2009-06-15 c:\windows\Tasks\Ad-Aware Update (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21]

2009-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 18:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\JETDB28.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(720)
c:\windows\system32\WININET.dll
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\CF1345.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-15 18:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-15 22:27

Pre-Run: 15,663,968,256 bytes free
Post-Run: 16,074,891,264 bytes free

250 --- E O F --- 2009-06-10 07:08

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-16 17:43:17
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF7DC887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7DC8BFE]

Code \??\C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

#12 syler

Forum Addict

Group: Malware Response Team
Posts: 8,150
Joined: 07-November 07
Gender:Male
Location:Warrington, UK

Posted 17 June 2009 - 07:24 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\bak
c:\windows\system32\bak
c:\windows\system\bak
c:\windows\SMINST\bak
c:\program files\QuickTime\bak
c:\program files\Java\j2re1.4.2_03\bin\bak
c:\program files\iTunes\bak
c:\program files\Grisoft\AVG7\bak
c:\program files\Adobe\Reader 8.0\Reader\bak
c:\hp\KBD\bak

Rootkit::
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\JETDB28.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks

If I have helped you, and you would like to make a donation to me, click here

#13 hcbarber

New Member

Group: Members
Posts: 12
Joined: 02-June 09

Posted 17 June 2009 - 08:12 PM

I hope that I am posting this correctly. I followed the procedures and I am pasting the log file that was created.

ComboFix 09-06-17.02 - Compaq_Owner 06/17/2009 20:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.422 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

FILE ::
"c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll"
"c:\hp\KBD\bak"
"c:\program files\Adobe\Reader 8.0\Reader\bak"
"c:\program files\Grisoft\AVG7\bak"
"c:\program files\iTunes\bak"
"c:\program files\Java\j2re1.4.2_03\bin\bak"
"c:\program files\QuickTime\bak"
"c:\windows\SMINST\bak"
"c:\windows\system\bak"
"c:\windows\system32\bak"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-15 22:32 . 2009-06-15 22:32 0 ----a-w- c:\documents and settings\Compaq_Owner\settings.dat
2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-06-12 14:27 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-12 14:27 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 13:41 . 2009-06-02 17:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:33 . 2009-06-12 12:31 826624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-12 12:32 . 2009-06-12 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-12 12:32 . 2009-06-12 12:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-10 07:16 . 2009-06-10 07:16 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InterMute
2009-06-10 05:44 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 05:44 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-05 01:23 . 2009-06-05 01:23 -------- d-----w- c:\program files\iPod
2009-06-05 01:22 . 2009-06-05 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-05 01:17 . 2009-05-29 17:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 01:13 . 2009-06-05 01:13 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 21:33 . 2009-06-04 21:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-02 18:26 . 2009-06-02 18:26 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE
2009-06-02 18:25 . 2009-06-02 18:25 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache
2009-06-02 18:22 . 2009-06-02 18:22 -------- d-----w- c:\windows\ie8updates
2009-06-02 18:22 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-02 18:19 . 2009-06-02 18:21 -------- dc-h--w- c:\windows\ie8
2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation
2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Diskeeper Corporation
2009-05-29 19:59 . 2009-05-29 19:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-28 01:34 . 2009-05-28 01:34 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-05-28 01:34 . 2009-05-28 01:34 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-05-28 01:34 . 2009-05-28 01:34 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-28 01:34 . 2009-05-28 01:34 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-05-26 02:17 . 2009-05-28 01:34 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-26 01:20 . 2009-05-26 01:20 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-26 01:08 . 2009-05-29 20:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-26 01:08 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-26 01:08 . 2009-05-26 01:08 -------- d-----w- c:\program files\Lavasoft
2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-05-24 17:07 . 2009-05-24 19:33 2102048 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-05-24 16:43 . 2009-05-24 16:43 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations
2009-05-22 13:48 . 2009-05-22 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-22 13:43 . 2009-05-22 13:42 3288856 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-22 13:41 . 2009-05-22 13:41 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 12:31 . 2008-06-15 02:40 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-05 01:23 . 2007-11-30 04:28 -------- d-----w- c:\program files\iTunes
2009-06-05 01:22 . 2007-11-30 04:23 -------- d-----w- c:\program files\Common Files\Apple
2009-06-05 01:19 . 2007-11-30 04:25 -------- d-----w- c:\program files\QuickTime
2009-05-29 19:57 . 2004-08-10 15:43 3888 -c--a-w- c:\windows\viassary-hp.reg
2009-05-29 17:36 . 2008-08-01 01:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-26 12:20 . 2007-11-29 15:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-24 19:58 . 2004-08-10 15:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-22 18:33 . 2009-05-18 14:14 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-05-22 18:29 . 2009-05-16 21:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-22 13:44 . 2009-05-17 22:15 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Lavasoft
2009-05-18 16:34 . 2009-05-18 16:34 34656 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-05-18 15:12 . 2009-05-18 15:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Motive
2009-05-17 22:53 . 2009-05-17 22:53 -------- d-----w- c:\program files\interMute
2009-05-17 18:17 . 2008-09-30 00:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks
2009-05-17 15:13 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AVGTOOLBAR
2009-05-17 12:53 . 2008-06-15 02:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-17 12:53 . 2008-02-28 01:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-17 12:53 . 2008-06-15 02:40 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-16 17:37 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-13 05:15 . 2007-11-28 17:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2007-11-28 16:59 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2007-11-28 17:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2007-11-28 17:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2007-11-28 12:17 . 2007-11-28 17:30 0 -csha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((( SnapShot@2009-06-15_22.22.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-18 00:44 . 2009-06-18 00:44 16384 c:\windows\Temp\Perflib_Perfdata_d8.dat
- 2009-06-15 22:21 . 2009-06-15 22:21 16384 c:\windows\Temp\Perflib_Perfdata_d8.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-08-10 14:57 . 2003-02-12 03:02 61440 c:\hp\KBD\bak\KBD.EXE

2007-10-11 00:51 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-01-12 02:16 . 2008-01-12 02:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

2007-11-30 02:22 . 2007-12-22 16:46 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-05-30 16:30 . 2009-05-30 16:30 292136 c:\program files\iTunes\iTunesHelper.exe

2004-08-10 14:09 . 2004-08-10 14:09 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe

2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe
2009-05-26 21:18 . 2009-05-26 21:18 413696 c:\program files\QuickTime\QTTask.exe

2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\bak\RECGUARD.EXE

2004-08-10 14:24 . 1998-05-07 23:04 52736 c:\windows\system\bak\hpsysdrv.exe

2007-11-28 16:58 . 2004-08-03 19:00 15360 c:\windows\system32\bak\ctfmon.exe
2007-11-28 16:58 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2004-08-10 14:57 . 2003-09-13 03:13 98304 c:\windows\system32\bak\ps2.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 17:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-29 518488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-5-22 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-7-22 151552]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2008-8-31 229376]
SpySubtract.lnk - c:\program files\interMute\SpySubtract\SpySub.exe [2009-5-17 1183744]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= "c:\program files\interMute\SpySubtract\sshook.dll" [2009-05-17 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-17 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2009 9:21 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/14/2008 10:40 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/14/2008 10:40 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/7/2008 10:03 AM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/7/2008 10:03 AM 298776]
R3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [1/2/2009 3:34 PM 98432]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1005904]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\Ad-Aware Scan (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21]

2009-06-17 c:\windows\Tasks\Ad-Aware Update (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21]

2009-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 20:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3612)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-18 20:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-18 00:54
ComboFix2.txt 2009-06-15 22:27

Pre-Run: 16,055,783,424 bytes free
Post-Run: 16,036,634,624 bytes free

235 --- E O F --- 2009-06-10 07:08

#14 syler

Forum Addict

Group: Malware Response Team
Posts: 8,150
Joined: 07-November 07
Gender:Male
Location:Warrington, UK

Posted 17 June 2009 - 08:28 PM

Yes, you posted that correctly :thumbup2:

Folder::
c:\windows\system32\bak
c:\windows\system\bak
c:\windows\SMINST\bak
c:\program files\QuickTime\bak
c:\program files\Java\j2re1.4.2_03\bin\bak
c:\program files\iTunes\bak
c:\program files\Grisoft\AVG7\bak
c:\program files\Adobe\Reader 8.0\Reader\bak
c:\hp\KBD\bak

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

Then please post back here with the following:

Combofix.txt
Kaspersky report

This post has been edited by syler: 17 June 2009 - 08:28 PM

If I have helped you, and you would like to make a donation to me, click here

#15 hcbarber

New Member

Group: Members
Posts: 12
Joined: 02-June 09

Posted 18 June 2009 - 04:26 PM

I ran the combofix again and I will post the log. I also ran the kaspersky online scanner and the scan report said that no malware had been detected. However, adaware continues to pop up and say that a virus was detected. I disabled adaware, so I am not sure why that happens when the computer reboots. Thank you for your help.

ComboFix 09-06-17.02 - Compaq_Owner 06/17/2009 20:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.422 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

FILE ::
"c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll"
"c:\hp\KBD\bak"
"c:\program files\Adobe\Reader 8.0\Reader\bak"
"c:\program files\Grisoft\AVG7\bak"
"c:\program files\iTunes\bak"
"c:\program files\Java\j2re1.4.2_03\bin\bak"
"c:\program files\QuickTime\bak"
"c:\windows\SMINST\bak"
"c:\windows\system\bak"
"c:\windows\system32\bak"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-15 22:32 . 2009-06-15 22:32 0 ----a-w- c:\documents and settings\Compaq_Owner\settings.dat
2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-06-12 14:27 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-12 14:27 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 13:41 . 2009-06-02 17:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:33 . 2009-06-12 12:31 826624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-12 12:32 . 2009-06-12 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-12 12:32 . 2009-06-12 12:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-10 07:16 . 2009-06-10 07:16 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InterMute
2009-06-10 05:44 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 05:44 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-05 01:23 . 2009-06-05 01:23 -------- d-----w- c:\program files\iPod
2009-06-05 01:22 . 2009-06-05 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-05 01:17 . 2009-05-29 17:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 01:13 . 2009-06-05 01:13 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 21:33 . 2009-06-04 21:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-02 18:26 . 2009-06-02 18:26 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE
2009-06-02 18:25 . 2009-06-02 18:25 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache
2009-06-02 18:22 . 2009-06-02 18:22 -------- d-----w- c:\windows\ie8updates
2009-06-02 18:22 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-02 18:19 . 2009-06-02 18:21 -------- dc-h--w- c:\windows\ie8
2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation
2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Diskeeper Corporation
2009-05-29 19:59 . 2009-05-29 19:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-28 01:34 . 2009-05-28 01:34 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-05-28 01:34 . 2009-05-28 01:34 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-05-28 01:34 . 2009-05-28 01:34 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-28 01:34 . 2009-05-28 01:34 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-05-26 02:17 . 2009-05-28 01:34 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-26 01:20 . 2009-05-26 01:20 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-26 01:08 . 2009-05-29 20:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-26 01:08 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-26 01:08 . 2009-05-26 01:08 -------- d-----w- c:\program files\Lavasoft
2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-05-24 17:07 . 2009-05-24 19:33 2102048 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-05-24 16:43 . 2009-05-24 16:43 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations
2009-05-22 13:48 . 2009-05-22 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-22 13:43 . 2009-05-22 13:42 3288856 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-22 13:41 . 2009-05-22 13:41 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 12:31 . 2008-06-15 02:40 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-05 01:23 . 2007-11-30 04:28 -------- d-----w- c:\program files\iTunes
2009-06-05 01:22 . 2007-11-30 04:23 -------- d-----w- c:\program files\Common Files\Apple
2009-06-05 01:19 . 2007-11-30 04:25 -------- d-----w- c:\program files\QuickTime
2009-05-29 19:57 . 2004-08-10 15:43 3888 -c--a-w- c:\windows\viassary-hp.reg
2009-05-29 17:36 . 2008-08-01 01:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-26 12:20 . 2007-11-29 15:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-24 19:58 . 2004-08-10 15:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-22 18:33 . 2009-05-18 14:14 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-05-22 18:29 . 2009-05-16 21:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-22 13:44 . 2009-05-17 22:15 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Lavasoft
2009-05-18 16:34 . 2009-05-18 16:34 34656 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-05-18 15:12 . 2009-05-18 15:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Motive
2009-05-17 22:53 . 2009-05-17 22:53 -------- d-----w- c:\program files\interMute
2009-05-17 18:17 . 2008-09-30 00:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks
2009-05-17 15:13 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AVGTOOLBAR
2009-05-17 12:53 . 2008-06-15 02:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-17 12:53 . 2008-02-28 01:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-17 12:53 . 2008-06-15 02:40 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-16 17:37 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-13 05:15 . 2007-11-28 17:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2007-11-28 16:59 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2007-11-28 17:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2007-11-28 17:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2007-11-28 12:17 . 2007-11-28 17:30 0 -csha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((( SnapShot@2009-06-15_22.22.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-18 00:44 . 2009-06-18 00:44 16384 c:\windows\Temp\Perflib_Perfdata_d8.dat
- 2009-06-15 22:21 . 2009-06-15 22:21 16384 c:\windows\Temp\Perflib_Perfdata_d8.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-08-10 14:57 . 2003-02-12 03:02 61440 c:\hp\KBD\bak\KBD.EXE

2007-10-11 00:51 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-01-12 02:16 . 2008-01-12 02:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

2007-11-30 02:22 . 2007-12-22 16:46 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-05-30 16:30 . 2009-05-30 16:30 292136 c:\program files\iTunes\iTunesHelper.exe

2004-08-10 14:09 . 2004-08-10 14:09 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe

2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe
2009-05-26 21:18 . 2009-05-26 21:18 413696 c:\program files\QuickTime\QTTask.exe

2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\bak\RECGUARD.EXE

2004-08-10 14:24 . 1998-05-07 23:04 52736 c:\windows\system\bak\hpsysdrv.exe

2007-11-28 16:58 . 2004-08-03 19:00 15360 c:\windows\system32\bak\ctfmon.exe
2007-11-28 16:58 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2004-08-10 14:57 . 2003-09-13 03:13 98304 c:\windows\system32\bak\ps2.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 17:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-29 518488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-5-22 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-7-22 151552]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2008-8-31 229376]
SpySubtract.lnk - c:\program files\interMute\SpySubtract\SpySub.exe [2009-5-17 1183744]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= "c:\program files\interMute\SpySubtract\sshook.dll" [2009-05-17 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-17 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2009 9:21 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/14/2008 10:40 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/14/2008 10:40 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/7/2008 10:03 AM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/7/2008 10:03 AM 298776]
R3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [1/2/2009 3:34 PM 98432]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1005904]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\Ad-Aware Scan (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21]

2009-06-17 c:\windows\Tasks\Ad-Aware Update (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21]

2009-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 20:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3612)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-18 20:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-18 00:54
ComboFix2.txt 2009-06-15 22:27

Pre-Run: 16,055,783,424 bytes free
Post-Run: 16,036,634,624 bytes free

235 --- E O F --- 2009-06-10 07:08