Page 2 of 11 FirstFirst 123456 ... LastLast
Results 11 to 20 of 109

Thread: Browser Hijack and Virus

  1. #11
    Member
    Join Date
    Sep 2009
    Posts
    59

    Default

    Shaba:

    The .exe fix worked, in that I could launch some programs (e.g., Solitaire).

    I went ahead and tried to launch gmer, but as far as I can tell it did not run. Windows task manager said it was running, but no gmer screen appeared. There was no reference to gmer.sys loading, nor a warning about rootkit activity, nor a Rootkit tab, etc.

    I tried in Safe Mode too, same result. Am I not waiting long enough, or should there be some screen after doubleclicking the Gmer icon saying gmer is running?

    As an added bonus, during one of the reboots, Antivirus Pro 2010 appeared and began running a fake scan.

    I did NOT try Combo-fix.

  2. #12
    Member
    Join Date
    Sep 2009
    Posts
    59

    Default

    For clarification, when windows task manager was opened, the gmer folder appeared under the "applications" tab, but I did not see any activity under the "processes" tab ...

  3. #13
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please then try to run combofix in safe mode.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  4. #14
    Member
    Join Date
    Sep 2009
    Posts
    59

    Default Combofix "results"

    Shaba:

    I was able to start combofix in safe mode, and it eventually produced the below log, however I'm not sure if everything went as expected.

    When I started combofix, it said it identified rootkit activity (c:\windows\system32\drivers\UACpyxmtkiqvd.sys), and rebooted. Once combofix started, it said I didn't have a Windows Recovery Console and would access the internet to download one, but then could not access the internet. (I also thought I had the Recovery Console installed, but perhaps not).

    During the scan, numerous windows popped up saying various files were corrupt and to run the chkdsk utility. For example, I received the following:

    PEV.EXE - corrupt file. The file or directory \pagefile.sys is corrupt and unreadable. Please run the chkdsk utility.

    CF25281.exe - corrupt file. The file or directory \windows\temp\dd_net_framework20_setup01303.txt is corrupt and unreadable ...

    NIRCMD.cfxxe - corrupt file. The file or directory \recycled\Dc4.exe is corrupt and unreadable. Please run the chkdsk utility.

    etc.

    I also received a message saying to insert my Windows XP disk, as some files needed to run Windows had been replaced with unrecognized ones.

    I did NOT run chkdsk and did NOT reinstall any Windows components.

    Finally, combofix rebooted my machine a second time to prepare the below.

    Thanks for your help.

  5. #15
    Member
    Join Date
    Sep 2009
    Posts
    59

    Default Combofix log

    ComboFix 09-09-14.02 - default 09/15/2009 12:42.1.1 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.147 [GMT -6:00]
    Running from: c:\documents and settings\default\Desktop\Combo-Fix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    Overlay aborted ... Please run ComboFix once more
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\dumokisamo.ban
    c:\documents and settings\All Users\Application Data\ekozynuqew.pif
    c:\documents and settings\All Users\Application Data\fecimyd.inf
    c:\documents and settings\All Users\Application Data\fulahypax.dll
    c:\documents and settings\All Users\Application Data\mecuw.vbs
    c:\documents and settings\All Users\Application Data\mehomifari.com
    c:\documents and settings\All Users\Application Data\nedaf._sy
    c:\documents and settings\All Users\Application Data\xozonuby.dll
    c:\documents and settings\All Users\Application Data\ymupuxas.dl
    c:\documents and settings\All Users\Application Data\yqur.bin
    c:\documents and settings\default\Application Data\aqadujedej.ban
    c:\documents and settings\default\Application Data\axudewux.exe
    c:\documents and settings\default\Application Data\dytylypoxu.lib
    c:\documents and settings\default\Application Data\ebevobifoj.dl
    c:\documents and settings\default\Application Data\eqohute.vbs
    c:\documents and settings\default\Application Data\fehiga.bat
    c:\documents and settings\default\Application Data\ihyfuvaxiz.dll
    c:\documents and settings\default\Application Data\jeji._sy
    c:\documents and settings\default\Application Data\jozupotoq.lib
    c:\documents and settings\default\Application Data\jurecukify.pif
    c:\documents and settings\default\Application Data\kyno.dl
    c:\documents and settings\default\Application Data\lagol.dll
    c:\documents and settings\default\Application Data\megaj.inf
    c:\documents and settings\default\Application Data\memawyc.ban
    c:\documents and settings\default\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
    c:\documents and settings\default\Application Data\oranymo.ban
    c:\documents and settings\default\Application Data\osiveko._sy
    c:\documents and settings\default\Application Data\RACLE~1
    c:\documents and settings\default\Application Data\siseba.lib
    c:\documents and settings\default\Application Data\ufedu.inf
    c:\documents and settings\default\Application Data\ufezy.reg
    c:\documents and settings\default\Application Data\vozycuqati.ban
    c:\documents and settings\default\Application Data\widukixi.reg
    c:\documents and settings\default\Application Data\wilexaho.scr
    c:\documents and settings\default\Application Data\zotufec.bat
    c:\documents and settings\default\Application Data\zysy.exe
    c:\documents and settings\default\Cookies\dagys.scr
    c:\documents and settings\default\Cookies\esylacahe.dll
    c:\documents and settings\default\Cookies\gojosukisy.dll
    c:\documents and settings\default\Cookies\opijex.bat
    c:\documents and settings\default\Cookies\wareburac.lib
    c:\documents and settings\default\Cookies\woficexoru.reg
    c:\documents and settings\default\Local Settings\Temporary Internet Files\agac.lib
    c:\documents and settings\default\Local Settings\Temporary Internet Files\esyco.bin
    c:\documents and settings\default\Local Settings\Temporary Internet Files\gygen.lib
    c:\documents and settings\default\Local Settings\Temporary Internet Files\kosud.bat
    c:\documents and settings\default\Local Settings\Temporary Internet Files\lisabaxel.inf
    c:\documents and settings\default\Local Settings\Temporary Internet Files\lura.exe
    c:\documents and settings\default\Local Settings\Temporary Internet Files\vapolokuqo.ban
    c:\documents and settings\default\Local Settings\Temporary Internet Files\wulaqovuj.sys
    c:\documents and settings\default\Local Settings\Temporary Internet Files\xirexa.pif
    c:\documents and settings\default\Start Menu\Programs\AntivirusPro_2010
    c:\documents and settings\default\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
    c:\documents and settings\default\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
    c:\program files\AntivirusPro_2010
    c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
    c:\program files\AntivirusPro_2010\AVEngn.dll
    c:\program files\AntivirusPro_2010\data\daily.cvd
    c:\program files\AntivirusPro_2010\htmlayout.dll
    c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
    c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
    c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
    c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
    c:\program files\AntivirusPro_2010\pthreadVC2.dll
    c:\program files\AntivirusPro_2010\Uninstall.exe
    c:\program files\AntivirusPro_2010\wscui.cpl
    c:\program files\Common Files\ipycybile.dll
    c:\program files\Common Files\micukutat.pif
    c:\program files\Common Files\pagypotov.exe
    c:\program files\Common Files\paqogaruxa.reg
    c:\program files\Common Files\pifa._dl
    c:\program files\Common Files\qaxilo.dl
    c:\program files\Common Files\uheped.sys
    c:\program files\Common Files\zuviki.bin
    c:\program files\Windows Police Pro
    c:\program files\Windows Police Pro\msvcm80.dll
    c:\program files\Windows Police Pro\msvcp80.dll
    c:\program files\Windows Police Pro\msvcr80.dll
    c:\program files\Windows Police Pro\windows Police Pro.exe
    c:\temp\tn3
    c:\windows\All Users\Documents\asufi.ban
    c:\windows\All Users\Documents\balolyhyza._dl
    c:\windows\All Users\Documents\gesymavola.inf
    c:\windows\All Users\Documents\hobuda.dl
    c:\windows\All Users\Documents\ivoh.bat
    c:\windows\All Users\Documents\mini.bat
    c:\windows\All Users\Documents\onode.dl
    c:\windows\All Users\Documents\panefaru.pif
    c:\windows\All Users\Documents\ycoco._dl
    c:\windows\All Users\Documents\zaxusy.com
    c:\windows\All Users\Documents\zuhanom.scr
    c:\windows\amuco.scr
    c:\windows\braviax.exe
    c:\windows\cru629.dat
    c:\windows\DRIVERS\beep.sys
    c:\windows\elis.ban
    c:\windows\hocade.bin
    c:\windows\Installer\127f7.msi
    c:\windows\Installer\163f2.msi
    c:\windows\Installer\241ea.msi
    c:\windows\Installer\2b522.msi
    c:\windows\Installer\30df8.msi
    c:\windows\Installer\35d57.msi
    c:\windows\Installer\36a86.msi
    c:\windows\Installer\3c38d.msi
    c:\windows\Installer\61274.msi
    c:\windows\Installer\ffd03b10.msi
    c:\windows\jestertb.dll
    c:\windows\lyciwezexe.bat
    c:\windows\ppp3.dat
    c:\windows\ppp4.dat
    c:\windows\rejovida.reg
    c:\windows\seqawimi.vbs
    c:\windows\start.exe
    c:\windows\system32\_scui.cpl
    c:\windows\system32\bgqwwsnw.ini
    c:\windows\system32\bincd32.dat
    c:\windows\system32\braviax.exe
    c:\windows\system32\cete.bat
    c:\windows\system32\cru629.dat
    c:\windows\SYSTEM32\dcbeg.bak1
    c:\windows\SYSTEM32\dcbeg.bak2
    c:\windows\SYSTEM32\dcbeg.tmp
    c:\windows\system32\drivers\UACpyxmtkiqvd.sys
    c:\windows\system32\fmifkfgn.ini
    c:\windows\system32\gtccwsvp.ini
    c:\windows\system32\hniivpof.ini
    c:\windows\system32\images
    c:\windows\system32\images\i1.gif
    c:\windows\system32\images\i2.gif
    c:\windows\system32\images\i3.gif
    c:\windows\system32\images\j1.gif
    c:\windows\system32\images\j2.gif
    c:\windows\system32\images\j3.gif
    c:\windows\system32\images\jj1.gif
    c:\windows\system32\images\jj2.gif
    c:\windows\system32\images\jj3.gif
    c:\windows\system32\images\l1.gif
    c:\windows\system32\images\l2.gif
    c:\windows\system32\images\l3.gif
    c:\windows\system32\images\pix.gif
    c:\windows\system32\images\t1.gif
    c:\windows\system32\images\t2.gif
    c:\windows\system32\images\up1.gif
    c:\windows\system32\images\up2.gif
    c:\windows\system32\images\w1.gif
    c:\windows\system32\images\w11.gif
    c:\windows\system32\images\w2.gif
    c:\windows\system32\images\w3.gif
    c:\windows\system32\images\w3.jpg
    c:\windows\system32\images\wt1.gif
    c:\windows\system32\images\wt2.gif
    c:\windows\system32\images\wt3.gif
    c:\windows\system32\iwefa.ban
    c:\windows\system32\jvwfpfxx.ini
    c:\windows\system32\lymusoluza.exe
    c:\windows\system32\mghrgosi.ini
    c:\windows\system32\npyyuwol.ini
    c:\windows\system32\opyvi.sys
    c:\windows\system32\puviwo.dll
    c:\windows\system32\qiphxufk.ini
    c:\windows\system32\sahutaxam.bin
    c:\windows\system32\sonhelp.htm
    c:\windows\system32\sysnet.dat
    c:\windows\system32\uzofybojyt.scr
    c:\windows\system32\waksdqvj.ini
    c:\windows\system32\windows.scr
    c:\windows\system32\wisdstr.exe
    c:\windows\system32\wispex.html
    c:\windows\system32\yqezilona.vbs
    c:\windows\system32\Z1
    c:\windows\system32\Z11
    c:\windows\system32\Z3
    c:\windows\system32\Z5
    c:\windows\system32\Z7
    c:\windows\system32\Z9
    c:\windows\tonahedoh.reg
    c:\windows\ugisarali.vbs
    c:\windows\uhebuvy.ban
    c:\windows\unidivy.inf
    c:\windows\Web\default.htt
    c:\windows\wirane.scr
    c:\windows\ynox._dl

    c:\windows\system32\drivers\beep.sys . . . is infected!!

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_UACd.sys
    -------\Legacy_UACd.sys
    -------\Legacy_ANTIPPRO2009_100
    -------\Service_AntipPro2009_100


    ((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
    .

    2009-09-15 18:29 . 2009-09-15 18:29 -------- d-----w- C:\Combo-Fix
    2009-09-15 17:57 . 2009-09-15 17:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2009-09-15 17:54 . 2009-09-15 17:54 12379 ----a-w- c:\documents and settings\default\Application Data\bifupexa.dat
    2009-09-15 13:02 . 2009-09-15 13:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
    2009-09-15 01:05 . 2009-09-15 01:05 14268 ----a-w- c:\windows\system32\pepo.dat
    2009-09-15 01:05 . 2009-09-15 01:05 10574 ----a-w- c:\documents and settings\default\Application Data\mykade.dat
    2009-09-15 00:01 . 2009-09-15 00:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2009-09-14 13:30 . 2009-09-15 00:57 27648 ----a-w- c:\windows\system32\dllcache\beep.sys
    2009-09-10 06:09 . 2009-09-10 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
    2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
    2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
    2009-09-08 19:28 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
    2009-09-08 05:45 . 2009-09-08 06:01 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-09-07 04:28 . 2009-09-07 04:28 -------- d-sh--w- c:\documents and settings\default\IECompatCache
    2009-09-07 02:42 . 2009-09-07 02:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2009-09-07 02:31 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
    2009-09-07 01:52 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2009-09-07 01:51 . 2009-09-07 01:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
    2009-09-07 01:50 . 2009-09-07 01:50 -------- d-----w- c:\program files\Lavasoft
    2009-09-06 22:51 . 2009-09-06 22:51 -------- d-----w- c:\program files\Trend Micro
    2009-09-06 20:23 . 2009-09-06 20:23 16342 ----a-w- c:\documents and settings\default\Application Data\cixadura.dat
    2009-09-06 19:57 . 2009-09-06 19:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\scripting
    2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\l2schemas
    2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\en
    2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\bits
    2009-09-06 19:26 . 2009-09-06 19:27 -------- d-----w- c:\windows\EHome
    2009-09-06 18:31 . 2009-09-06 18:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\default\PrivacIE
    2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2009-09-06 18:21 . 2009-09-06 18:21 -------- d-sh--w- c:\documents and settings\default\IETldCache
    2009-09-06 18:19 . 2009-09-06 18:19 -------- d-----w- c:\windows\ie8updates
    2009-09-06 18:18 . 2009-09-06 18:18 -------- d--h--w- c:\windows\ie8
    2009-09-06 18:17 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
    2009-09-06 18:17 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2009-09-06 18:17 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
    2009-09-06 18:17 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
    2009-09-06 18:17 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2009-09-06 18:17 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
    2009-09-06 18:03 . 2008-10-16 20:06 268648 ----a-w- c:\windows\system32\mucltui.dll
    2009-09-06 01:11 . 2009-09-15 19:02 268435456 --sha-w- c:\windows\system32\temppf.sys
    2009-09-03 23:16 . 2009-09-03 23:17 45 ----a-w- c:\documents and settings\default\jagex_runescape_preferences2.dat
    2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iPod
    2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iTunes
    2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    2009-08-18 02:51 . 2009-08-18 02:51 -------- d-----w- c:\program files\Bonjour
    2009-08-18 02:50 . 2009-08-18 02:50 -------- d-----w- c:\program files\QuickTime
    2009-08-18 02:47 . 2009-07-09 18:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-15 18:03 . 2009-09-15 18:03 19763 ----a-w- c:\program files\Common Files\ejujuraryj.lib
    2009-09-06 20:23 . 2009-09-06 20:23 14766 ----a-w- c:\documents and settings\All Users\Application Data\vahu.dat
    2009-09-04 00:28 . 2008-07-01 21:59 37 ----a-w- c:\documents and settings\default\jagex_runescape_preferences.dat
    2009-08-16 19:04 . 2009-05-23 14:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-08-16 19:04 . 2008-01-27 03:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-08-16 19:04 . 2009-05-23 14:43 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\MSBuild
    2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\Reference Assemblies
    2009-08-08 05:44 . 2009-08-08 05:43 -------- d-----w- c:\program files\MSXML 6.0
    2009-08-05 09:01 . 2008-01-23 03:28 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-08-03 19:36 . 2008-08-29 04:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-03 19:36 . 2008-08-29 04:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-07-17 19:01 . 2008-01-23 03:25 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-12 18:21 . 2008-01-23 03:34 233472 ----a-w- c:\windows\system32\wmpdxm.dll
    2009-07-09 18:16 . 2008-01-29 04:22 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2009-07-03 17:09 . 2008-01-23 03:31 915456 ----a-w- c:\windows\system32\wininet.dll
    2009-06-25 08:25 . 2008-01-23 03:30 54272 ----a-w- c:\windows\system32\wdigest.dll
    2009-06-25 08:25 . 2008-01-23 03:29 56832 ----a-w- c:\windows\system32\secur32.dll
    2009-06-25 08:25 . 2008-01-23 03:29 147456 ----a-w- c:\windows\system32\schannel.dll
    2009-06-25 08:25 . 2008-01-23 03:28 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-06-25 08:25 . 2008-01-23 03:27 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2009-06-25 08:25 . 2008-01-23 03:27 301568 ----a-w- c:\windows\system32\kerberos.dll
    2009-06-24 11:18 . 2008-01-23 03:27 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2000-10-13 22:56 . 2000-10-13 22:56 23357 ----a-w- c:\program files\folder.htt
    .

    ------- Sigcheck -------

    [-] 2009-09-15 00:57 . 5136045680D6EEFB0241B41160416438 . 27648 . . [------] . . c:\windows\SYSTEM32\dllcache\beep.sys

    c:\windows\system32\drivers\beep.sys ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-08 149280]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Printing Migration"="c:\windows\system32\spool\migrate.dll" [2004-08-04 30208]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Filseclab Messenger.lnk - c:\program files\Common Files\Filseclab\FilMsg.exe [2007-7-30 315652]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-16 19:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MSMSGS"=c:\progra~1\MESSEN~1\msmsgs.exe /background
    "MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
    "Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
    "CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    "RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    "TaskMonitor"=c:\windows\taskmon.exe
    "PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s
    "WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
    "Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
    "Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
    "MULTIMEDIA KEYBOARD"=c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe
    "LoadQM"=loadqm.exe
    "HPAIO_PrintFolderMgr"=c:\windows\SYSTEM\hpoopm07.exe
    "DownloadWare"="c:\program files\DownloadWare\dw.exe" /H
    "SearchEnhancement"="c:\program files\SCBAR\V1\SCBAR.EXE" /U
    "KodakCCS"=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    "NAV Agent"=c:\progra~1\NORTON~1\NAVAPW32.EXE
    "RecoverFromReboot"=c:\windows\TEMP\RECOVE~1.EXE
    "BJCFD"=c:\program files\BroadJump\Client Foundation\CFD.exe
    "QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
    "xfilter"="c:\program files\Filseclab\xfilter\xfilter.exe" -a

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
    "SchedulingAgent"=mstask.exe
    "StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [9/6/2009 7:52 PM 64160]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/23/2009 8:43 AM 335240]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/23/2009 8:43 AM 108552]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/23/2009 8:42 AM 908056]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2009 8:42 AM 297752]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1029456]
    R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [5/25/2009 7:49 PM 36224]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
    rundll rnasetup.dll,installoptionalcomponent rna
    .
    Contents of the 'Scheduled Tasks' folder

    2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

    2009-09-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    AddRemove-Adobe Acrobat 5.0 - c:\windows\ISUNINST.EXE -fc:\program files\Common Files\Adobe\Acrobat 5.0\ME\Uninst.isu
    AddRemove-BroadJump Client Foundation - c:\windows\IsUninst.exe -fc:\program files\BroadJump\Client Foundation\Uninst.isu -cc:\program files\BroadJump\Client Foundation\RmvBJCFD.dll
    AddRemove-FoneSync - c:\windows\IsUninst.exe -fc:\program files\FoneSync\Uninst.isu
    AddRemove-Image Expert 3.2 - c:\windows\IsUninst.exe -fc:\program files\Sierra Imaging\Image Expert 2000\Uninst.isu
    AddRemove-MusicMatch Jukebox - c:\windows\IsUninst.exe -fc:\program files\MusicMatch\MusicMatch Jukebox\Uninst.isu
    AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-15 13:03
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(360)
    c:\windows\system32\vct3216.acm
    c:\windows\system32\vct3216.dll
    c:\windows\system32\MVOICE.VWP

    - - - - - - - > 'lsass.exe'(416)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(1324)
    c:\windows\system32\WININET.dll
    vsfocetkopabwq.dll 10000000 36864 \\?\globalroot\systemroot\system32\vsfocetkopabwq.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
    c:\program files\AVG\AVG8\AVGWDSVC.EXE
    c:\program files\BONJOUR\MDNSRESPONDER.EXE
    c:\program files\JAVA\JRE6\BIN\JQS.EXE
    c:\program files\AVG\AVG8\AVGEMC.EXE
    c:\program files\AVG\AVG8\AVGRSX.EXE
    c:\program files\AVG\AVG8\AVGNSX.EXE
    c:\program files\AVG\AVG8\avgcsrvx.exe
    c:\windows\SYSTEM32\WBEM\UNSECAPP.EXE
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    .
    **************************************************************************
    .
    Completion time: 2009-09-15 13:16 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-09-15 19:16

    Pre-Run: 1,341,374,464 bytes free
    Post-Run: 3,543,924,736 bytes free

    445 --- E O F --- 2009-09-08 20:07

  6. #16
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please install recovery console manually like described in my link, rerun combofix and post back a fresh combofix log
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #17
    Member
    Join Date
    Sep 2009
    Posts
    59

    Default Link

    Shaba:

    Could you please send me the link that describes how to manually install the recovery console.

    Thanks.

  8. #18
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  9. #19
    Member
    Join Date
    Sep 2009
    Posts
    59

    Default Combofix Scan

    Got it.

    Combofix ran, with several windows opening to identify various corrupt files, and a reboot into normal XP mode (not recovery console mode). Here is the Combofix log:

    ===
    ComboFix 09-09-14.02 - default 09/15/2009 23:25.2.1 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.136 [GMT -6:00]
    Running from: c:\documents and settings\default\Desktop\Combo-Fix.exe
    Command switches used :: c:\documents and settings\default\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    PEV Error: LocalAppDataFolder

    ((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
    .

    2009-09-15 18:29 . 2009-09-15 18:29 -------- d-----w- C:\Combo-Fix
    2009-09-15 17:57 . 2009-09-15 17:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2009-09-15 17:54 . 2009-09-15 17:54 12379 ----a-w- c:\documents and settings\default\Application Data\bifupexa.dat
    2009-09-15 13:02 . 2009-09-15 13:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
    2009-09-15 01:05 . 2009-09-15 01:05 14268 ----a-w- c:\windows\system32\pepo.dat
    2009-09-15 01:05 . 2009-09-15 01:05 10574 ----a-w- c:\documents and settings\default\Application Data\mykade.dat
    2009-09-15 00:01 . 2009-09-15 00:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2009-09-14 13:30 . 2009-09-15 00:57 27648 ----a-w- c:\windows\system32\dllcache\beep.sys
    2009-09-10 06:09 . 2009-09-10 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
    2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
    2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
    2009-09-08 19:28 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
    2009-09-08 05:45 . 2009-09-08 06:01 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-09-07 04:28 . 2009-09-07 04:28 -------- d-sh--w- c:\documents and settings\default\IECompatCache
    2009-09-07 02:42 . 2009-09-07 02:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2009-09-07 02:31 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
    2009-09-07 01:52 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2009-09-07 01:51 . 2009-09-07 01:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
    2009-09-07 01:50 . 2009-09-07 01:50 -------- d-----w- c:\program files\Lavasoft
    2009-09-06 22:51 . 2009-09-06 22:51 -------- d-----w- c:\program files\Trend Micro
    2009-09-06 20:23 . 2009-09-06 20:23 16342 ----a-w- c:\documents and settings\default\Application Data\cixadura.dat
    2009-09-06 19:57 . 2009-09-06 19:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\scripting
    2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\l2schemas
    2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\en
    2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\bits
    2009-09-06 19:26 . 2009-09-06 19:27 -------- d-----w- c:\windows\EHome
    2009-09-06 18:31 . 2009-09-06 18:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\default\PrivacIE
    2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2009-09-06 18:21 . 2009-09-06 18:21 -------- d-sh--w- c:\documents and settings\default\IETldCache
    2009-09-06 18:19 . 2009-09-06 18:19 -------- d-----w- c:\windows\ie8updates
    2009-09-06 18:18 . 2009-09-06 18:18 -------- d--h--w- c:\windows\ie8
    2009-09-06 18:17 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
    2009-09-06 18:17 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2009-09-06 18:17 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
    2009-09-06 18:17 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
    2009-09-06 18:17 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2009-09-06 18:17 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
    2009-09-06 18:03 . 2008-10-16 20:06 268648 ----a-w- c:\windows\system32\mucltui.dll
    2009-09-06 01:11 . 2009-09-16 05:22 268435456 --sha-w- c:\windows\system32\temppf.sys
    2009-09-03 23:16 . 2009-09-03 23:17 45 ----a-w- c:\documents and settings\default\jagex_runescape_preferences2.dat
    2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iPod
    2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iTunes
    2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    2009-08-18 02:51 . 2009-08-18 02:51 -------- d-----w- c:\program files\Bonjour
    2009-08-18 02:50 . 2009-08-18 02:50 -------- d-----w- c:\program files\QuickTime
    2009-08-18 02:47 . 2009-07-09 18:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-15 18:03 . 2009-09-15 18:03 19763 ----a-w- c:\program files\Common Files\ejujuraryj.lib
    2009-09-06 20:23 . 2009-09-06 20:23 14766 ----a-w- c:\documents and settings\All Users\Application Data\vahu.dat
    2009-09-04 00:28 . 2008-07-01 21:59 37 ----a-w- c:\documents and settings\default\jagex_runescape_preferences.dat
    2009-08-16 19:04 . 2009-05-23 14:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-08-16 19:04 . 2008-01-27 03:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-08-16 19:04 . 2009-05-23 14:43 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\MSBuild
    2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\Reference Assemblies
    2009-08-08 05:44 . 2009-08-08 05:43 -------- d-----w- c:\program files\MSXML 6.0
    2009-08-05 09:01 . 2008-01-23 03:28 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-08-03 19:36 . 2008-08-29 04:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-03 19:36 . 2008-08-29 04:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-07-17 19:01 . 2008-01-23 03:25 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-12 18:21 . 2008-01-23 03:34 233472 ----a-w- c:\windows\system32\wmpdxm.dll
    2009-07-09 18:16 . 2008-01-29 04:22 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2009-07-03 17:09 . 2008-01-23 03:31 915456 ------w- c:\windows\system32\wininet.dll
    2009-06-25 08:25 . 2008-01-23 03:30 54272 ----a-w- c:\windows\system32\wdigest.dll
    2009-06-25 08:25 . 2008-01-23 03:29 56832 ----a-w- c:\windows\system32\secur32.dll
    2009-06-25 08:25 . 2008-01-23 03:29 147456 ----a-w- c:\windows\system32\schannel.dll
    2009-06-25 08:25 . 2008-01-23 03:28 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-06-25 08:25 . 2008-01-23 03:27 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2009-06-25 08:25 . 2008-01-23 03:27 301568 ----a-w- c:\windows\system32\kerberos.dll
    2009-06-24 11:18 . 2008-01-23 03:27 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2000-10-13 22:56 . 2000-10-13 22:56 23357 ----a-w- c:\program files\folder.htt
    .

    ------- Sigcheck -------

    [-] 2009-09-15 00:57 . 5136045680D6EEFB0241B41160416438 . 27648 . . [------] . . c:\windows\SYSTEM32\dllcache\beep.sys

    c:\windows\system32\drivers\beep.sys ... is missing !!
    .
    ((((((((((((((((((((((((((((( SnapShot@2009-09-15_19.04.36 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-23 04:22 . 2009-09-16 05:22 49152 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-01-23 04:22 . 2009-09-15 18:38 49152 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-09-06 18:31 . 2009-09-15 18:38 16384 c:\windows\SYSTEM32\config\systemprofile\IETldCache\index.dat
    + 2009-09-06 18:31 . 2009-09-16 05:22 16384 c:\windows\SYSTEM32\config\systemprofile\IETldCache\index.dat
    + 2008-01-23 04:22 . 2009-09-16 05:22 49152 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
    - 2008-01-23 04:22 . 2009-09-15 18:38 49152 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
    + 2008-01-23 04:22 . 2009-09-16 05:22 360448 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-23 04:22 . 2009-09-15 18:38 360448 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-08 149280]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Printing Migration"="c:\windows\system32\spool\migrate.dll" [2004-08-04 30208]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Filseclab Messenger.lnk - c:\program files\Common Files\Filseclab\FilMsg.exe [2007-7-30 315652]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-16 19:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MSMSGS"=c:\progra~1\MESSEN~1\msmsgs.exe /background
    "MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
    "Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
    "CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    "RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    "TaskMonitor"=c:\windows\taskmon.exe
    "PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s
    "WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
    "Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
    "Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
    "MULTIMEDIA KEYBOARD"=c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe
    "LoadQM"=loadqm.exe
    "HPAIO_PrintFolderMgr"=c:\windows\SYSTEM\hpoopm07.exe
    "DownloadWare"="c:\program files\DownloadWare\dw.exe" /H
    "SearchEnhancement"="c:\program files\SCBAR\V1\SCBAR.EXE" /U
    "KodakCCS"=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    "NAV Agent"=c:\progra~1\NORTON~1\NAVAPW32.EXE
    "RecoverFromReboot"=c:\windows\TEMP\RECOVE~1.EXE
    "BJCFD"=c:\program files\BroadJump\Client Foundation\CFD.exe
    "QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
    "xfilter"="c:\program files\Filseclab\xfilter\xfilter.exe" -a

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
    "SchedulingAgent"=mstask.exe
    "StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [9/6/2009 7:52 PM 64160]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/23/2009 8:43 AM 335240]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/23/2009 8:43 AM 108552]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/23/2009 8:42 AM 908056]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2009 8:42 AM 297752]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1029456]
    R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [5/25/2009 7:49 PM 36224]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
    rundll rnasetup.dll,installoptionalcomponent rna
    .
    Contents of the 'Scheduled Tasks' folder

    2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

    2009-09-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-15 23:38
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(360)
    c:\windows\system32\vct3216.acm
    c:\windows\system32\vct3216.dll
    c:\windows\system32\MVOICE.VWP

    - - - - - - - > 'lsass.exe'(416)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2009-09-16 23:43
    ComboFix-quarantined-files.txt 2009-09-16 05:43
    ComboFix2.txt 2009-09-15 19:16

    Pre-Run: 3,530,883,072 bytes free
    Post-Run: 3,535,831,040 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout = 30
    default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    241 --- E O F --- 2009-09-08 20:07

  10. #20
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Do you remember any of those files in errors?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •