Hi Net Surfer,
FYI I looked for Weahterbug Installer in Add/Remove programs plus a Windows search, but couldnt locate it. I think it may already be uninstalled. I know that program can be a pain from past experience.
I also reconnected the External drive before scanning.
I followed all the steps in order. For some reason I had issues getting the Kapersky online scan to work the first few times. I resolved it by running it from IE instead of Firefox.
Here are the logs you requested:
ComboFix 09-06-01.03 - Administrator 06/04/2009 11:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1544 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FILE ::
"c:\windows\system32\drivers\fwnjmxi.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
F:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ADPGHA
-------\Service_adpgha
((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.
2009-06-03 15:16 . 2009-06-03 15:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-06-02 19:20 . 2009-06-02 19:20 -------- d-----w- C:\rsit
2009-06-02 00:36 . 2009-06-02 00:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PunkBuster
2009-06-01 15:17 . 2009-06-01 15:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2009-06-01 15:17 . 2009-06-01 15:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-05-30 02:52 . 2009-05-30 02:52 -------- d-----w- c:\program files\Trend Micro
2009-05-30 00:23 . 2009-03-02 15:24 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2009-05-29 14:43 . 2009-06-01 22:53 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-29 14:42 . 2009-05-29 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-29 14:42 . 2009-05-29 14:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-29 14:42 . 2009-05-29 14:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-28 19:34 . 2009-05-28 19:34 -------- d-----w- c:\documents and settings\Tammy\Application Data\Malwarebytes
2009-05-28 18:58 . 2009-05-28 18:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-28 18:40 . 2009-05-28 18:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2009-05-28 18:37 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 18:37 . 2009-05-28 18:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 18:37 . 2009-05-28 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-28 18:37 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-28 14:59 . 2009-05-28 14:59 -------- d-----w- c:\program files\MSSOAP
2009-05-28 14:58 . 2009-05-28 14:58 164 ----a-w- c:\windows\install.dat
2009-05-28 14:40 . 2009-05-28 14:40 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-05-28 14:39 . 2009-05-28 14:40 -------- d-----w- c:\documents and settings\Tammy\.housecall6.6
2009-05-23 17:16 . 2009-05-23 17:16 -------- d-----w- c:\documents and settings\Tammy\Application Data\Ahead
2009-05-23 17:15 . 2009-05-28 13:16 -------- d-----w- c:\documents and settings\Tammy\Local Settings\Application Data\Ahead
2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-05-19 13:56 . 2009-05-07 21:31 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-19 13:56 . 2009-05-07 21:31 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-19 13:56 . 2009-05-07 21:31 3288344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-19 13:56 . 2009-05-07 21:31 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-19 13:56 . 2009-05-07 21:31 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-19 13:56 . 2009-05-07 21:31 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-19 13:56 . 2009-05-07 21:31 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-19 13:55 . 2009-05-07 16:36 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-19 13:55 . 2009-05-07 16:36 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-18 01:10 . 2009-05-18 01:10 -------- d-----w- c:\documents and settings\Joey\Local Settings\Application Data\Ahead
2009-05-18 01:08 . 2009-05-18 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-05-18 01:07 . 2009-05-18 01:08 -------- d-----w- c:\program files\Common Files\Ahead
2009-05-18 01:07 . 2009-05-18 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-05-17 13:55 . 2009-05-07 21:31 3399960 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-17 13:55 . 2009-05-07 21:31 2302232 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-10 16:50 . 2009-05-10 16:59 107832 ----a-w- c:\documents and settings\Tammy\Application Data\PnkBstrB.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 15:10 . 2006-10-22 04:05 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-04 14:28 . 2006-10-22 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-03 19:56 . 2007-06-01 17:03 -------- d-----w- c:\documents and settings\Joey\Application Data\Xfire
2009-06-03 19:49 . 2009-01-12 18:04 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-03 19:49 . 2007-08-26 14:31 189072 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-03 19:46 . 2007-11-07 18:01 169936 ----a-w- c:\documents and settings\Joey\Application Data\Mozilla\Firefox\Profiles\vzayxgni.default\FlashGot.exe
2009-06-03 15:16 . 2007-09-28 16:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
2009-06-03 15:16 . 2007-01-15 22:44 -------- d-s---w- c:\program files\Xfire
2009-06-03 03:01 . 2007-11-18 23:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-03 03:01 . 2006-10-22 04:18 -------- d-----w- c:\program files\Lavasoft
2009-05-30 01:15 . 2008-07-23 17:22 0 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\prvlcl.dat
2009-05-30 01:05 . 2007-07-02 00:17 -------- d-----w- c:\program files\Pidgin
2009-05-29 14:06 . 2006-10-22 04:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-28 17:19 . 2009-05-28 17:19 60616 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_05_28_13_12_47_small.dmp.zip
2009-05-27 02:08 . 2008-03-15 22:47 -------- d-----w- c:\documents and settings\Tammy\Application Data\Move Networks
2009-05-27 02:00 . 2008-01-28 17:49 17849522 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-05-26 21:23 . 2006-10-22 04:17 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-05-26 21:00 . 2007-06-25 22:53 -------- d-----w- c:\documents and settings\Tammy\Application Data\Xfire
2009-05-19 13:06 . 2006-12-31 03:46 -------- d-----w- c:\documents and settings\Joey\Application Data\uTorrent
2009-05-18 15:02 . 2007-02-20 00:10 -------- d-----w- c:\documents and settings\Joey\Application Data\Ahead
2009-05-18 00:34 . 2009-01-02 01:56 -------- d-----w- c:\documents and settings\Joey\Application Data\Vso
2009-05-14 15:20 . 2009-05-14 15:21 542720 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-05-10 17:01 . 2008-07-01 17:00 22328 ----a-w- c:\documents and settings\Tammy\Application Data\PnkBstrK.sys
2009-05-10 17:01 . 2008-07-01 17:00 22328 ----a-w- c:\documents and settings\Tammy\Application Data\PnkBstrK.sys
2009-05-07 21:31 . 2008-06-17 17:05 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 21:31 . 2008-06-17 17:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-07 21:31 . 2007-10-31 22:08 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-07 21:31 . 2008-06-17 17:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-03 14:03 . 2009-05-03 14:05 637440 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-05-03 14:03 . 2009-05-03 14:05 2433536 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-04-30 01:07 . 2009-04-30 01:56 2433024 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-04-25 13:39 . 2009-04-25 13:39 -------- d-----w- c:\documents and settings\Tammy\Application Data\WeatherBug
2009-04-20 18:41 . 2009-04-20 21:22 2643968 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-04-20 18:41 . 2009-04-20 21:22 2401280 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-04-17 12:01 . 2008-06-17 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-04-06 01:30 . 2009-04-06 01:29 -------- d-----w- c:\program files\MagicISO
2009-04-06 01:23 . 2009-04-06 01:23 -------- d-----w- c:\program files\MagicDisc
2009-04-06 01:11 . 2007-03-03 01:58 -------- d-----w- c:\program files\dvdSanta
2009-04-02 19:15 . 2008-08-15 02:10 34 ----a-w- c:\documents and settings\Guest\jagex_runescape_preferences.dat
2009-03-09 15:34 . 2009-03-30 23:26 971776 ----a-w- c:\documents and settings\Tammy\Application Data\Mozilla\Firefox\Profiles\4j9kjw4y.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
.
------- Sigcheck -------
[-] 2006-10-17 15:55 1580544 6E266AAF4168B3569A330C61AB01F6B4 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-06-03_14.08.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-04 15:06 . 2009-06-04 15:06 16384 c:\windows\temp\Perflib_Perfdata_6c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]
"VolPanel"="c:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-17 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-10-08 23552]
c:\documents and settings\Joey\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-5 576000]
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2007-5-4 2913840]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2007-5-4 2913840]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-4-5 221247]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-07 21:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PlexTools Professional.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PlexTools Professional.lnk.disabled
backup=c:\windows\pss\PlexTools Professional.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Joey^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Joey\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Tammy^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\documents and settings\Tammy\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Tammy^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Tammy\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RunDLL32.exe NvMCTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"RemoteControl"=c:\program files\Roxio\Roxio DVDMax Player\PDVDServ.exe
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
"Start WingMan Profiler"=c:\program files\Logitech\Gaming Software\LWEMon.exe /noui
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe"
"LXBRKsk"=c:\progra~1\LEXMAR~1\LXBRKsk.exe
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" /logon
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\World of Padman\\wop.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2008 1:05 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/17/2008 1:05 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 1:05 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 1:05 PM 298776]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 2:21 AM 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 2:21 AM 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 2:21 AM 72728]
S2 gupdate1c9898942ef6a62;Google Update Service (gupdate1c9898942ef6a62);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2009 9:04 PM 133104]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [8/17/2001 1:11 PM 20160]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [12/25/2008 3:06 PM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 2:21 AM 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 2:21 AM 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 2:21 AM 72728]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [5/29/2009 8:23 PM 30136]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;\??\c:\program files\Ufasoft\Sniffer\usft_sn4.sys --> c:\program files\Ufasoft\Sniffer\usft_sn4.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-06-04 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 01:04]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l5kskhmr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329536&SearchSource=3&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-06-04 11:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3704)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\CTxfispi.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-06-04 11:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-04 15:14
ComboFix2.txt 2009-06-03 14:11
Pre-Run: 77,028,655,104 bytes free
Post-Run: 76,924,084,224 bytes free
283 --- E O F --- 2009-05-18 15:16
-----------------------------------------------------------------
DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 8:09:27.37 on Fri 06/05/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1254 [GMT -4:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
mStart Page = hxxp://www.yahoo.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [VolPanel] "c:\program files\creative\volume panel\VolPanlu.exe" /r
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! widget engine\YahooWidgetEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\l5kskhmr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329536&SearchSource=3&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-17 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-10-31 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-17 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-10-31 353672]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 298776]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S2 gupdate1c9898942ef6a62;Google Update Service (gupdate1c9898942ef6a62);c:\program files\google\update\GoogleUpdate.exe [2009-2-7 133104]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [2001-8-17 20160]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2008-12-25 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2009-5-29 30136]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;\??\c:\program files\ufasoft\sniffer\usft_sn4.sys --> c:\program files\ufasoft\sniffer\usft_sn4.sys [?]
=============== Created Last 30 ================
2009-06-04 11:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-04 11:29 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-04 11:00 <DIR> --ds---- C:\ComboFix
2009-06-03 09:32 <DIR> a-dshr-- C:\cmdcons
2009-06-02 23:16 161,792 a------- c:\windows\SWREG.exe
2009-06-02 23:16 154,624 a------- c:\windows\PEV.exe
2009-06-02 23:16 98,816 a------- c:\windows\sed.exe
2009-05-29 22:52 <DIR> --d----- c:\program files\Trend Micro
2009-05-29 20:23 30,136 a------- c:\windows\system32\drivers\rspSanity32.sys
2009-05-29 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-29 10:42 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-29 10:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-05-28 14:58 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-05-28 14:37 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 14:37 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-28 14:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 14:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-28 10:59 <DIR> --d----- c:\program files\MSSOAP
2009-05-28 10:58 164 a------- c:\windows\install.dat
2009-05-28 10:40 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-21 18:51 41,808 a------- c:\windows\system32\xfcodec.dll
2009-05-17 21:13 69 a------- c:\windows\NeroDigital.ini
2009-05-17 21:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
==================== Find3M ====================
2009-06-05 08:04 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-06-03 15:49 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-03 15:49 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-05-07 17:31 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 17:31 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 17:31 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
============= FINISH: 8:09:54.62 ===============
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, June 5, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, June 04, 2009 18:20:49
Records in database: 2306762
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics:
Files scanned: 132406
Threat name: 12
Infected objects: 24
Suspicious objects: 17
Duration of the scan: 08:44:03
File name / Threat name / Threats count
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 7
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.re 2
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.ra 2
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.ri 2
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.rz 1
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 6
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Tammy\Application Data\Thunderbird\Profiles\8y2hdk28.default\Mail\pop3.knology.net\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Tammy\Application Data\Thunderbird\Profiles\8y2hdk28.default\Mail\pop3.knology.net\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACkpurwlwjqsjkfnu.sys.vir Infected: Rootkit.Win32.Agent.lae 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACmuwqpucfqxexnkf.sys.vir Infected: Rootkit.Win32.Agent.lae 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACgvqvqemxuiajkia.dll.vir Infected: Trojan.Win32.TDSS.adzz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjpyputabtxevhop.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmchutyqjbdfcekx.dll.vir Infected: Trojan.Win32.TDSS.aegg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACuulusipvebdmsxw.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvakdnkfgotacnky.dll.vir Infected: Trojan.Win32.TDSS.adzx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvxoascnutmtnftu.dll.vir Infected: Trojan.Win32.TDSS.adzw 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000001.sys Infected: Rootkit.Win32.Agent.lae 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000002.sys Infected: Rootkit.Win32.Agent.lae 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000003.dll Infected: Packed.Win32.Tdss.m 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000004.dll Infected: Trojan.Win32.TDSS.adzw 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000005.dll Infected: Trojan.Win32.TDSS.adzx 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000006.dll Infected: Trojan.Win32.TDSS.adzz 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000007.dll Infected: Trojan.Win32.TDSS.aegg 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000056.dll Infected: Packed.Win32.Tdss.m 1
F:\Pedro stuff\Wireless Security\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1
The selected area was scanned.
Thanks for all your help!