so I followed the steps above, but when it rebooted an error appeared stating that it could not fine the cleanup.exe file. Tried the steps a few more times with the same result so it doesn't seem like Avenger did it's thing, any thoughts? I did run combofix anyway just in case and here is the output from that:
ComboFix 09-11-15.01 - mcunning 11/16/2009 8:08.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3455.2579 [GMT -8:00]
Running from: c:\documents and settings\mcunning\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://SEAMS275.starbucks.net:80
.
((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 )))))))))))))))))))))))))))))))
.
2009-11-16 15:05 . 2009-11-16 15:22 574 ----a-w- C:\cleanup.bat
2009-11-16 15:05 . 2009-11-16 15:22 135168 ----a-w- C:\zip.exe
2009-11-16 15:05 . 2009-11-16 15:05 19286 ----a-w- C:\cleanup.exe.vir
2009-11-13 05:48 . 2009-11-13 05:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-11 22:37 . 2009-11-11 22:37 -------- d-----w- c:\program files\Trend Micro
2009-11-11 18:00 . 2009-11-11 18:00 117760 ------w- c:\documents and settings\mcunning\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-11 17:59 . 2009-11-11 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-11 17:57 . 2009-11-12 21:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-11 17:57 . 2009-11-11 17:57 -------- d-----w- c:\documents and settings\mcunning\Application Data\SUPERAntiSpyware.com
2009-11-11 17:39 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-11 17:35 . 2009-11-11 17:35 -------- d-----w- c:\program files\Windows Defender
2009-11-11 03:55 . 2009-11-11 03:55 -------- d-----w- c:\documents and settings\mcunning\Application Data\Malwarebytes
2009-11-11 03:55 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-11 03:55 . 2009-11-11 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-11 03:55 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-11 03:55 . 2009-11-11 03:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 19:56 . 2009-11-07 19:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-04 00:52 . 2009-11-04 00:52 152576 ------w- c:\documents and settings\mcunning\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-26 04:02 . 2009-10-26 04:02 126970 ------w- c:\documents and settings\mcunning\Application Data\Move Networks\uninstall.exe
2009-10-25 04:13 . 2009-10-25 04:13 185232 ------w- c:\documents and settings\mcunning\Application Data\Mozilla\plugins\atgpcext.dll
2009-10-25 04:13 . 2009-10-25 04:13 28488 ------w- c:\documents and settings\mcunning\Application Data\Mozilla\plugins\atgpcdec.dll
2009-10-25 04:13 . 2009-10-25 04:13 61840 ------w- c:\documents and settings\mcunning\Application Data\Mozilla\plugins\npatgpc.dll
2009-10-25 03:56 . 2009-09-25 16:42 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-10-25 03:56 . 2009-09-25 16:42 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-10-25 03:55 . 2009-10-25 03:55 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-19 17:40 . 2008-12-02 21:22 1507328 ----a-w- c:\windows\system32\editplus.exe
2009-10-18 02:24 . 2009-10-18 02:24 45 ------w- c:\documents and settings\mcunning\jagex_runescape_preferences2.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 21:59 . 2009-01-02 21:01 -------- d-----w- c:\documents and settings\mcunning\Application Data\EditPlus 3
2009-11-11 17:57 . 2008-02-21 22:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-11 17:23 . 2007-09-06 16:58 -------- d-----w- c:\program files\Java
2009-11-11 15:11 . 2009-01-02 21:01 -------- d-----w- c:\program files\EditPlus 3
2009-10-28 14:21 . 2009-03-27 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-27 14:24 . 2009-09-21 23:51 -------- d-----w- c:\documents and settings\mcunning\Application Data\Azureus
2009-10-26 17:51 . 2009-07-04 20:39 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-26 05:28 . 2009-01-28 02:05 -------- d-----w- c:\documents and settings\mcunning\Application Data\Move Networks
2009-10-26 04:02 . 2009-08-03 21:48 4187512 ------w- c:\documents and settings\mcunning\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-25 06:47 . 2008-08-29 16:23 -------- d-----w- c:\documents and settings\mcunning\Application Data\webex
2009-10-25 03:56 . 2007-09-26 19:40 -------- d-----w- c:\program files\DivX
2009-10-22 19:20 . 2009-09-21 23:50 -------- d-----w- c:\program files\Vuze
2009-10-20 22:12 . 2008-03-07 20:06 3140 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-10-18 03:04 . 2008-07-02 00:22 38 ------w- c:\documents and settings\mcunning\jagex_runescape_preferences.dat
2009-10-15 19:46 . 2009-10-15 19:46 593920 ------w- c:\documents and settings\mcunning\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910150-0-main.dll
2009-10-15 19:46 . 2009-10-15 19:46 319488 ------w- c:\documents and settings\mcunning\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-10-11 12:17 . 2009-01-12 22:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 14:31 . 2008-04-02 19:38 73728 -c----w- c:\documents and settings\mcunning\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\ciscounifiedaddin6x0\specialhook.dll
2009-10-09 14:31 . 2008-04-02 19:38 158720 -c----w- c:\documents and settings\mcunning\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\ciscounifiedaddin6x0\audiofunc.dll
2009-10-05 17:21 . 2009-10-05 17:09 -------- d-----w- c:\program files\SelfTest
2009-10-05 14:39 . 2009-10-05 14:39 -------- d-----w- c:\program files\Microsoft
2009-09-25 16:42 . 2008-04-11 18:03 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-24 21:32 . 2009-09-24 21:32 -------- d-----w- c:\program files\DNSControl
2009-09-24 21:32 . 2009-09-24 21:32 249856 ------w- c:\windows\Setup1.exe
2009-09-24 21:31 . 2009-09-24 21:31 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-09-24 18:07 . 2008-04-21 21:36 70984 ------w- c:\documents and settings\mcunning\g2mdlhlpx.exe
2009-09-22 15:44 . 2009-09-22 15:44 10686001 ------w- c:\documents and settings\mcunning\Application Data\Azureus\plugins\azump\mplayer.exe
2009-09-21 23:51 . 2009-09-21 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-09-04 21:03 . 2003-07-02 17:45 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2005-06-18 06:49 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-07-02 17:48 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 08:30 . 2009-10-09 23:28 13312 ------w- c:\documents and settings\mcunning\Application Data\Mozilla\Firefox\Profiles\80kzjh32.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
2009-01-23 22:19 . 2008-09-26 16:18 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-01-23 22:19 . 2008-09-26 16:18 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-11-05 18:06 . 2008-11-05 18:07 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2008-09-26 16:18 . 2008-09-26 16:19 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-10-08 19:52 . 2007-10-08 18:19 80 --sh--r- c:\windows\system32\504148E495.dll
2008-04-10 00:38 . 2008-03-07 20:06 88 --sh--r- c:\windows\system32\88E913FFE9.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-11-15_03.26.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-16 15:26 . 2009-11-16 15:26 16384 c:\windows\Temp\Perflib_Perfdata_53c.dat
+ 2009-11-16 15:25 . 2009-11-16 15:25 16384 c:\windows\Temp\Perflib_Perfdata_22c.dat
- 2003-07-14 19:43 . 2009-11-15 03:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-07-14 19:43 . 2009-11-16 15:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-07-14 19:43 . 2009-11-16 15:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-07-14 19:43 . 2009-11-15 03:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-07 19:56 . 2009-11-16 15:15 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-11-07 19:56 . 2009-11-15 03:05 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2003-07-14 19:43 . 2009-11-16 15:15 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2003-07-14 19:43 . 2009-11-15 03:05 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2008-12-11 01:34 311352 ----a-w- c:\windows\system32\PGPfsshl.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"\\mcunning-ES\EPSON Stylus Photo R380 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE" [2006-05-29 139264]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-27 7561216]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-01-30 88203]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-07-04 16250880]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-10-12 439568]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-27 581693]
PGPtray.exe.lnk - c:\windows\Installer\{53EED491-9B3D-4A00-A64D-55C03B7F9DD3}\Icon6560581611.exe [2009-4-28 55296]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 23:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli PGPpwflt
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-706763690-313548223-9522986-160079\Scripts\Logon\0\0]
"Script"=\\starbucks.net\SysVol\starbucks.net\scripts\ScreenSaverCheck3.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-706763690-313548223-9522986-160079\Scripts\Logon\1\0]
"Script"=\\starbucks.net\sysvol\starbucks.net\scripts\TNSFileCopy.vbs
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Firewall Client Connectivity Monitor.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Firewall Client Connectivity Monitor.LNK
backup=c:\windows\pss\Firewall Client Connectivity Monitor.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"freeFTPdService"=2 (0x2)
"iPod Service"=3 (0x3)
"FileZilla Server"=2 (0x2)
"AspectUniphiAdapterSvc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\communicatork9.exe"=
"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\AudioTuningWizard.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\TFTPServer\\TFTPServerSP.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [12/10/2008 5:34 PM 134712]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [1/18/2005 2:16 PM 58464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [3/6/2009 11:34 AM 35691]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [7/26/2006 7:12 PM 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/26/2006 11:53 AM 36352]
S2 TFTPServer;TFTP Single Port Server;c:\program files\TFTPServer\TFTPServerSP.exe [1/29/2009 9:43 AM 214363]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 12:22 PM 34064]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S4 AspectUniphiAdapterSvc;Aspect Uniphi Connect Adapter Service;c:\program files\Aspect Software\Uniphi Connect\UniphiAdapterSvc.exe [3/14/2006 10:14 PM 20480]
S4 freeFTPdService;freeFTPdService;c:\program files\freeFTPd\FreeFTPDService.exe [9/25/2008 2:42 PM 1028096]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
*Deregistered* - PROCEXP113
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\wmactedp.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder
2009-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2009-11-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=proxy.starbucks.net:8080;https=proxy.starbucks.net:8080;ftp=proxy.starbucks.net:8080;gopher=proxy.starbucks.net:8080;socks=proxy.starbucks.net:8080
uInternet Settings,ProxyOverride = 10.*;*.starbucks.net;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\PGPlsp.dll
Trusted Zone: 164.57.158.15
Trusted Zone: 170.14.179.78/callcenter_enu
Trusted Zone: atg.com
Trusted Zone: authoria.com
Trusted Zone: authoria.com/AIMNetEdition
Trusted Zone: authoria.com/AIMNetEdition/Start.asp
Trusted Zone: componentone.com
Trusted Zone: envisioninc.com
Trusted Zone: jpmorgan.com\sdol
Trusted Zone: jpmorgan.com\sdolstage
Trusted Zone: jpmorganchase.com\sdol
Trusted Zone: mastercard.com\sdol
Trusted Zone: mastercard.com\sdolstage
Trusted Zone: onyx.com
Trusted Zone: proworks.com
Trusted Zone: ria.thomson.com
Trusted Zone: sbux.com
Trusted Zone: sdol.jpmorgan.com
Trusted Zone: sdol.jpmorganchase.com
Trusted Zone: sdol.mastercard.com
Trusted Zone: sdolstage.jpmorgan.com
Trusted Zone: sdolstage.mastercard.com
Trusted Zone: starbucks.net
Trusted Zone: 164.57.158.15
Trusted Zone: 170.14.179.78/callcenter_enu
Trusted Zone: atg.com
Trusted Zone: authoria.com
Trusted Zone: authoria.com/AIMNetEdition
Trusted Zone: authoria.com/AIMNetEdition/Start.asp
Trusted Zone: componentone.com
Trusted Zone: envisioninc.com
Trusted Zone: jpmorgan.com\sdol
Trusted Zone: jpmorgan.com\sdolstage
Trusted Zone: jpmorganchase.com\sdol
Trusted Zone: mastercard.com\sdol
Trusted Zone: mastercard.com\sdolstage
Trusted Zone: onyx.com
Trusted Zone: proworks.com
Trusted Zone: ria.thomson.com
Trusted Zone: sbux.com
Trusted Zone: sdol.jpmorgan.com
Trusted Zone: sdol.jpmorganchase.com
Trusted Zone: sdol.mastercard.com
Trusted Zone: sdolstage.jpmorgan.com
Trusted Zone: sdolstage.mastercard.com
Trusted Zone: starbucks.net
TCP: {6E4B2076-F098-451A-8B18-39C4BDFCEC89} = 10.1.9.25
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: iLO 2 Remote Console Applet - hxxps://10.4.120.241/dvc.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.aquire.com/codebase75/OrgPubX.cab
FF - ProfilePath - c:\documents and settings\mcunning\Application Data\Mozilla\Firefox\Profiles\80kzjh32.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\mcunning\Application Data\Mozilla\Firefox\Profiles\80kzjh32.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\mcunning\Application Data\Mozilla\Firefox\Profiles\80kzjh32.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - plugin: c:\documents and settings\mcunning\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\mcunning\Application Data\Mozilla\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-11-16 08:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1588)
c:\windows\system32\PGPlsp.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(1644)
c:\windows\system32\PGPlsp.dll
c:\windows\system32\EntApi.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(5344)
c:\windows\system32\WININET.dll
c:\windows\system32\EntApi.dll
c:\windows\system32\PGPhk.dll
c:\windows\system32\PGPfsshl.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-16 08:21
ComboFix-quarantined-files.txt 2009-11-16 16:21
ComboFix2.txt 2009-11-15 03:32
ComboFix3.txt 2009-11-12 21:05
Pre-Run: 36,653,228,032 bytes free
Post-Run: 36,602,355,712 bytes free
- - End Of File - - 3EBE7245A2DF0087143064DDB32A2C68
oh and the 1st item created a log that just said 1 file copied FYI.
I've run some tests of the problem as well and I do not seem to be getting redirected any longer..
Let me know thanks. Hope you had a great day so far.
Mike
Edited by Capt_Dad, 16 November 2009 - 11:24 AM.