Browser Hijack and Virus

O

Off Track

New member
My PC (with Windows XP) is off the rails!

The past week most Google and Yahoo search results would redirect me to various sites, not the search result site. I used Spybot S&D, MalwareBytes and AVG 8.5, which usually found and quarantined various problems, including WIN32.TDSS.NTF, but they didn't correct the underlying problem. Search results are still redirected. Perhaps related, when I boot up I get a pop-up saying "Your System has no Paging File, or the Paging File is too small."

I downloaded ComboFix (have NOT run it), HiJackThis, AdAware, as well as IE 8 and some Windows patches. I also tried to update my Java, but am not sure where that stands.

NOW, Antivirus Pro windows keep popping up, and I can't launch any of the above programs including HiJackThis. Each time, Windows asks me what program I want to use to open them, instead of launching the program.
Any help would be greatly appreciated!!

Thanks
 
Here is the HJT Log

Thanks Shaba.

Yes renaming HFT seems to have worked. Here is the log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:17 PM, on 9/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: ICQSys (IE PlugIn) - {76DC0B63-1533-4ba9-8BE8-D59EB676FA02} - C:\WINDOWS\system32\dddesot.dll (file missing)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-861567501-492894223-682003330-1004\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User '?')
O4 - HKUS\S-1-5-21-861567501-492894223-682003330-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-861567501-492894223-682003330-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Filseclab Messenger.lnk = C:\Program Files\Common Files\Filseclab\FilMsg.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252200236875
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\WINDOWS\svchasts.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 7319 bytes
 
Download gmer.zip and save to your desktop.
alternate download site
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
 
Can't start Gmer

I downloaded Gmer and extracted the files. When I try to open it, I get the windows message asking what program I want to use to open Gmer.exe.

I tried renaming it, but got the same message. :eek:

How do I get Gmer to run?

Thanks.
 
Still no luck

No luck with Combofix. I get the same windows message asking which program I want to use to open combo-fix.exe.

I downloaded Combofix again, renaming to another name, and ran into the same problem.

I tried to open my Security Center through the control panel, and could not - getting an "application not found" message.
 
No .exe

Nope. All desktop icons, including a solitaire game, won't run. I get the same window asking which program to open it with.

I can open MS Word.
 
So then .exe file association is likely messed up.

Download .exe fix here, run it and let me know if it helped.
 
Shaba:

The .exe fix worked, in that I could launch some programs (e.g., Solitaire).

I went ahead and tried to launch gmer, but as far as I can tell it did not run. Windows task manager said it was running, but no gmer screen appeared. There was no reference to gmer.sys loading, nor a warning about rootkit activity, nor a Rootkit tab, etc.

I tried in Safe Mode too, same result. Am I not waiting long enough, or should there be some screen after doubleclicking the Gmer icon saying gmer is running?:confused:

As an added bonus, during one of the reboots, Antivirus Pro 2010 appeared and began running a fake scan.

I did NOT try Combo-fix.
 
For clarification, when windows task manager was opened, the gmer folder appeared under the "applications" tab, but I did not see any activity under the "processes" tab ...
 
Combofix "results"

Shaba:

I was able to start combofix in safe mode, and it eventually produced the below log, however I'm not sure if everything went as expected.

When I started combofix, it said it identified rootkit activity (c:\windows\system32\drivers\UACpyxmtkiqvd.sys), and rebooted. Once combofix started, it said I didn't have a Windows Recovery Console and would access the internet to download one, but then could not access the internet. (I also thought I had the Recovery Console installed, but perhaps not).

During the scan, numerous windows popped up saying various files were corrupt and to run the chkdsk utility. For example, I received the following:

PEV.EXE - corrupt file. The file or directory \pagefile.sys is corrupt and unreadable. Please run the chkdsk utility.

CF25281.exe - corrupt file. The file or directory \windows\temp\dd_net_framework20_setup01303.txt is corrupt and unreadable ...

NIRCMD.cfxxe - corrupt file. The file or directory \recycled\Dc4.exe is corrupt and unreadable. Please run the chkdsk utility.

etc.

I also received a message saying to insert my Windows XP disk, as some files needed to run Windows had been replaced with unrecognized ones.

I did NOT run chkdsk and did NOT reinstall any Windows components.

Finally, combofix rebooted my machine a second time to prepare the below.

Thanks for your help.
 
Combofix log

ComboFix 09-09-14.02 - default 09/15/2009 12:42.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.147 [GMT -6:00]
Running from: c:\documents and settings\default\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\dumokisamo.ban
c:\documents and settings\All Users\Application Data\ekozynuqew.pif
c:\documents and settings\All Users\Application Data\fecimyd.inf
c:\documents and settings\All Users\Application Data\fulahypax.dll
c:\documents and settings\All Users\Application Data\mecuw.vbs
c:\documents and settings\All Users\Application Data\mehomifari.com
c:\documents and settings\All Users\Application Data\nedaf._sy
c:\documents and settings\All Users\Application Data\xozonuby.dll
c:\documents and settings\All Users\Application Data\ymupuxas.dl
c:\documents and settings\All Users\Application Data\yqur.bin
c:\documents and settings\default\Application Data\aqadujedej.ban
c:\documents and settings\default\Application Data\axudewux.exe
c:\documents and settings\default\Application Data\dytylypoxu.lib
c:\documents and settings\default\Application Data\ebevobifoj.dl
c:\documents and settings\default\Application Data\eqohute.vbs
c:\documents and settings\default\Application Data\fehiga.bat
c:\documents and settings\default\Application Data\ihyfuvaxiz.dll
c:\documents and settings\default\Application Data\jeji._sy
c:\documents and settings\default\Application Data\jozupotoq.lib
c:\documents and settings\default\Application Data\jurecukify.pif
c:\documents and settings\default\Application Data\kyno.dl
c:\documents and settings\default\Application Data\lagol.dll
c:\documents and settings\default\Application Data\megaj.inf
c:\documents and settings\default\Application Data\memawyc.ban
c:\documents and settings\default\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\default\Application Data\oranymo.ban
c:\documents and settings\default\Application Data\osiveko._sy
c:\documents and settings\default\Application Data\RACLE~1
c:\documents and settings\default\Application Data\siseba.lib
c:\documents and settings\default\Application Data\ufedu.inf
c:\documents and settings\default\Application Data\ufezy.reg
c:\documents and settings\default\Application Data\vozycuqati.ban
c:\documents and settings\default\Application Data\widukixi.reg
c:\documents and settings\default\Application Data\wilexaho.scr
c:\documents and settings\default\Application Data\zotufec.bat
c:\documents and settings\default\Application Data\zysy.exe
c:\documents and settings\default\Cookies\dagys.scr
c:\documents and settings\default\Cookies\esylacahe.dll
c:\documents and settings\default\Cookies\gojosukisy.dll
c:\documents and settings\default\Cookies\opijex.bat
c:\documents and settings\default\Cookies\wareburac.lib
c:\documents and settings\default\Cookies\woficexoru.reg
c:\documents and settings\default\Local Settings\Temporary Internet Files\agac.lib
c:\documents and settings\default\Local Settings\Temporary Internet Files\esyco.bin
c:\documents and settings\default\Local Settings\Temporary Internet Files\gygen.lib
c:\documents and settings\default\Local Settings\Temporary Internet Files\kosud.bat
c:\documents and settings\default\Local Settings\Temporary Internet Files\lisabaxel.inf
c:\documents and settings\default\Local Settings\Temporary Internet Files\lura.exe
c:\documents and settings\default\Local Settings\Temporary Internet Files\vapolokuqo.ban
c:\documents and settings\default\Local Settings\Temporary Internet Files\wulaqovuj.sys
c:\documents and settings\default\Local Settings\Temporary Internet Files\xirexa.pif
c:\documents and settings\default\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\default\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\default\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\ipycybile.dll
c:\program files\Common Files\micukutat.pif
c:\program files\Common Files\pagypotov.exe
c:\program files\Common Files\paqogaruxa.reg
c:\program files\Common Files\pifa._dl
c:\program files\Common Files\qaxilo.dl
c:\program files\Common Files\uheped.sys
c:\program files\Common Files\zuviki.bin
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\windows Police Pro.exe
c:\temp\tn3
c:\windows\All Users\Documents\asufi.ban
c:\windows\All Users\Documents\balolyhyza._dl
c:\windows\All Users\Documents\gesymavola.inf
c:\windows\All Users\Documents\hobuda.dl
c:\windows\All Users\Documents\ivoh.bat
c:\windows\All Users\Documents\mini.bat
c:\windows\All Users\Documents\onode.dl
c:\windows\All Users\Documents\panefaru.pif
c:\windows\All Users\Documents\ycoco._dl
c:\windows\All Users\Documents\zaxusy.com
c:\windows\All Users\Documents\zuhanom.scr
c:\windows\amuco.scr
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\DRIVERS\beep.sys
c:\windows\elis.ban
c:\windows\hocade.bin
c:\windows\Installer\127f7.msi
c:\windows\Installer\163f2.msi
c:\windows\Installer\241ea.msi
c:\windows\Installer\2b522.msi
c:\windows\Installer\30df8.msi
c:\windows\Installer\35d57.msi
c:\windows\Installer\36a86.msi
c:\windows\Installer\3c38d.msi
c:\windows\Installer\61274.msi
c:\windows\Installer\ffd03b10.msi
c:\windows\jestertb.dll
c:\windows\lyciwezexe.bat
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\rejovida.reg
c:\windows\seqawimi.vbs
c:\windows\start.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\bgqwwsnw.ini
c:\windows\system32\bincd32.dat
c:\windows\system32\braviax.exe
c:\windows\system32\cete.bat
c:\windows\system32\cru629.dat
c:\windows\SYSTEM32\dcbeg.bak1
c:\windows\SYSTEM32\dcbeg.bak2
c:\windows\SYSTEM32\dcbeg.tmp
c:\windows\system32\drivers\UACpyxmtkiqvd.sys
c:\windows\system32\fmifkfgn.ini
c:\windows\system32\gtccwsvp.ini
c:\windows\system32\hniivpof.ini
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\iwefa.ban
c:\windows\system32\jvwfpfxx.ini
c:\windows\system32\lymusoluza.exe
c:\windows\system32\mghrgosi.ini
c:\windows\system32\npyyuwol.ini
c:\windows\system32\opyvi.sys
c:\windows\system32\puviwo.dll
c:\windows\system32\qiphxufk.ini
c:\windows\system32\sahutaxam.bin
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\uzofybojyt.scr
c:\windows\system32\waksdqvj.ini
c:\windows\system32\windows.scr
c:\windows\system32\wisdstr.exe
c:\windows\system32\wispex.html
c:\windows\system32\yqezilona.vbs
c:\windows\system32\Z1
c:\windows\system32\Z11
c:\windows\system32\Z3
c:\windows\system32\Z5
c:\windows\system32\Z7
c:\windows\system32\Z9
c:\windows\tonahedoh.reg
c:\windows\ugisarali.vbs
c:\windows\uhebuvy.ban
c:\windows\unidivy.inf
c:\windows\Web\default.htt
c:\windows\wirane.scr
c:\windows\ynox._dl

c:\windows\system32\drivers\beep.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_ANTIPPRO2009_100
-------\Service_AntipPro2009_100


((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-09-15 18:29 . 2009-09-15 18:29 -------- d-----w- C:\Combo-Fix
2009-09-15 17:57 . 2009-09-15 17:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-15 17:54 . 2009-09-15 17:54 12379 ----a-w- c:\documents and settings\default\Application Data\bifupexa.dat
2009-09-15 13:02 . 2009-09-15 13:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-09-15 01:05 . 2009-09-15 01:05 14268 ----a-w- c:\windows\system32\pepo.dat
2009-09-15 01:05 . 2009-09-15 01:05 10574 ----a-w- c:\documents and settings\default\Application Data\mykade.dat
2009-09-15 00:01 . 2009-09-15 00:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-14 13:30 . 2009-09-15 00:57 27648 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-09-10 06:09 . 2009-09-10 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
2009-09-08 19:28 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 05:45 . 2009-09-08 06:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-07 04:28 . 2009-09-07 04:28 -------- d-sh--w- c:\documents and settings\default\IECompatCache
2009-09-07 02:42 . 2009-09-07 02:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-07 02:31 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-07 01:52 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-07 01:51 . 2009-09-07 01:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-07 01:50 . 2009-09-07 01:50 -------- d-----w- c:\program files\Lavasoft
2009-09-06 22:51 . 2009-09-06 22:51 -------- d-----w- c:\program files\Trend Micro
2009-09-06 20:23 . 2009-09-06 20:23 16342 ----a-w- c:\documents and settings\default\Application Data\cixadura.dat
2009-09-06 19:57 . 2009-09-06 19:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\scripting
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\l2schemas
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\en
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\bits
2009-09-06 19:26 . 2009-09-06 19:27 -------- d-----w- c:\windows\EHome
2009-09-06 18:31 . 2009-09-06 18:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\default\PrivacIE
2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-06 18:21 . 2009-09-06 18:21 -------- d-sh--w- c:\documents and settings\default\IETldCache
2009-09-06 18:19 . 2009-09-06 18:19 -------- d-----w- c:\windows\ie8updates
2009-09-06 18:18 . 2009-09-06 18:18 -------- d--h--w- c:\windows\ie8
2009-09-06 18:17 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-06 18:17 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-06 18:17 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-06 18:17 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-06 18:17 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-06 18:17 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-09-06 18:03 . 2008-10-16 20:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 01:11 . 2009-09-15 19:02 268435456 --sha-w- c:\windows\system32\temppf.sys
2009-09-03 23:16 . 2009-09-03 23:17 45 ----a-w- c:\documents and settings\default\jagex_runescape_preferences2.dat
2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iPod
2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iTunes
2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-18 02:51 . 2009-08-18 02:51 -------- d-----w- c:\program files\Bonjour
2009-08-18 02:50 . 2009-08-18 02:50 -------- d-----w- c:\program files\QuickTime
2009-08-18 02:47 . 2009-07-09 18:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-15 18:03 . 2009-09-15 18:03 19763 ----a-w- c:\program files\Common Files\ejujuraryj.lib
2009-09-06 20:23 . 2009-09-06 20:23 14766 ----a-w- c:\documents and settings\All Users\Application Data\vahu.dat
2009-09-04 00:28 . 2008-07-01 21:59 37 ----a-w- c:\documents and settings\default\jagex_runescape_preferences.dat
2009-08-16 19:04 . 2009-05-23 14:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 19:04 . 2008-01-27 03:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 19:04 . 2009-05-23 14:43 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\MSBuild
2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 05:44 . 2009-08-08 05:43 -------- d-----w- c:\program files\MSXML 6.0
2009-08-05 09:01 . 2008-01-23 03:28 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:36 . 2008-08-29 04:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 19:36 . 2008-08-29 04:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2008-01-23 03:25 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 18:21 . 2008-01-23 03:34 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 18:16 . 2008-01-29 04:22 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-03 17:09 . 2008-01-23 03:31 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-01-23 03:30 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-01-23 03:29 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-01-23 03:29 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-01-23 03:28 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-01-23 03:27 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-01-23 03:27 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-01-23 03:27 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2000-10-13 22:56 . 2000-10-13 22:56 23357 ----a-w- c:\program files\folder.htt
.

------- Sigcheck -------

[-] 2009-09-15 00:57 . 5136045680D6EEFB0241B41160416438 . 27648 . . [------] . . c:\windows\SYSTEM32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-08 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\system32\spool\migrate.dll" [2004-08-04 30208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Filseclab Messenger.lnk - c:\program files\Common Files\Filseclab\FilMsg.exe [2007-7-30 315652]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 19:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"=c:\progra~1\MESSEN~1\msmsgs.exe /background
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
"CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"TaskMonitor"=c:\windows\taskmon.exe
"PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
"MULTIMEDIA KEYBOARD"=c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe
"LoadQM"=loadqm.exe
"HPAIO_PrintFolderMgr"=c:\windows\SYSTEM\hpoopm07.exe
"DownloadWare"="c:\program files\DownloadWare\dw.exe" /H
"SearchEnhancement"="c:\program files\SCBAR\V1\SCBAR.EXE" /U
"KodakCCS"=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NAV Agent"=c:\progra~1\NORTON~1\NAVAPW32.EXE
"RecoverFromReboot"=c:\windows\TEMP\RECOVE~1.EXE
"BJCFD"=c:\program files\BroadJump\Client Foundation\CFD.exe
"QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
"xfilter"="c:\program files\Filseclab\xfilter\xfilter.exe" -a

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [9/6/2009 7:52 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/23/2009 8:43 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/23/2009 8:43 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/23/2009 8:42 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2009 8:42 AM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1029456]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [5/25/2009 7:49 PM 36224]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-09-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-Adobe Acrobat 5.0 - c:\windows\ISUNINST.EXE -fc:\program files\Common Files\Adobe\Acrobat 5.0\ME\Uninst.isu
AddRemove-BroadJump Client Foundation - c:\windows\IsUninst.exe -fc:\program files\BroadJump\Client Foundation\Uninst.isu -cc:\program files\BroadJump\Client Foundation\RmvBJCFD.dll
AddRemove-FoneSync - c:\windows\IsUninst.exe -fc:\program files\FoneSync\Uninst.isu
AddRemove-Image Expert 3.2 - c:\windows\IsUninst.exe -fc:\program files\Sierra Imaging\Image Expert 2000\Uninst.isu
AddRemove-MusicMatch Jukebox - c:\windows\IsUninst.exe -fc:\program files\MusicMatch\MusicMatch Jukebox\Uninst.isu
AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 13:03
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(360)
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\MVOICE.VWP

- - - - - - - > 'lsass.exe'(416)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1324)
c:\windows\system32\WININET.dll
vsfocetkopabwq.dll 10000000 36864 \\?\globalroot\systemroot\system32\vsfocetkopabwq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\AVG\AVG8\AVGEMC.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\program files\AVG\AVG8\AVGNSX.EXE
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SYSTEM32\WBEM\UNSECAPP.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-09-15 13:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 19:16

Pre-Run: 1,341,374,464 bytes free
Post-Run: 3,543,924,736 bytes free

445 --- E O F --- 2009-09-08 20:07
 
Please install recovery console manually like described in my link, rerun combofix and post back a fresh combofix log :)
 
Combofix Scan

Got it.

Combofix ran, with several windows opening to identify various corrupt files, and a reboot into normal XP mode (not recovery console mode). Here is the Combofix log:

===
ComboFix 09-09-14.02 - default 09/15/2009 23:25.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.136 [GMT -6:00]
Running from: c:\documents and settings\default\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\default\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
PEV Error: LocalAppDataFolder

((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.

2009-09-15 18:29 . 2009-09-15 18:29 -------- d-----w- C:\Combo-Fix
2009-09-15 17:57 . 2009-09-15 17:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-15 17:54 . 2009-09-15 17:54 12379 ----a-w- c:\documents and settings\default\Application Data\bifupexa.dat
2009-09-15 13:02 . 2009-09-15 13:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-09-15 01:05 . 2009-09-15 01:05 14268 ----a-w- c:\windows\system32\pepo.dat
2009-09-15 01:05 . 2009-09-15 01:05 10574 ----a-w- c:\documents and settings\default\Application Data\mykade.dat
2009-09-15 00:01 . 2009-09-15 00:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-14 13:30 . 2009-09-15 00:57 27648 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-09-10 06:09 . 2009-09-10 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
2009-09-08 19:28 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 05:45 . 2009-09-08 06:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-07 04:28 . 2009-09-07 04:28 -------- d-sh--w- c:\documents and settings\default\IECompatCache
2009-09-07 02:42 . 2009-09-07 02:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-07 02:31 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-07 01:52 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-07 01:51 . 2009-09-07 01:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-07 01:50 . 2009-09-07 01:50 -------- d-----w- c:\program files\Lavasoft
2009-09-06 22:51 . 2009-09-06 22:51 -------- d-----w- c:\program files\Trend Micro
2009-09-06 20:23 . 2009-09-06 20:23 16342 ----a-w- c:\documents and settings\default\Application Data\cixadura.dat
2009-09-06 19:57 . 2009-09-06 19:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\scripting
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\l2schemas
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\en
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\bits
2009-09-06 19:26 . 2009-09-06 19:27 -------- d-----w- c:\windows\EHome
2009-09-06 18:31 . 2009-09-06 18:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\default\PrivacIE
2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-06 18:21 . 2009-09-06 18:21 -------- d-sh--w- c:\documents and settings\default\IETldCache
2009-09-06 18:19 . 2009-09-06 18:19 -------- d-----w- c:\windows\ie8updates
2009-09-06 18:18 . 2009-09-06 18:18 -------- d--h--w- c:\windows\ie8
2009-09-06 18:17 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-06 18:17 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-06 18:17 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-06 18:17 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-06 18:17 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-06 18:17 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-09-06 18:03 . 2008-10-16 20:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 01:11 . 2009-09-16 05:22 268435456 --sha-w- c:\windows\system32\temppf.sys
2009-09-03 23:16 . 2009-09-03 23:17 45 ----a-w- c:\documents and settings\default\jagex_runescape_preferences2.dat
2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iPod
2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iTunes
2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-18 02:51 . 2009-08-18 02:51 -------- d-----w- c:\program files\Bonjour
2009-08-18 02:50 . 2009-08-18 02:50 -------- d-----w- c:\program files\QuickTime
2009-08-18 02:47 . 2009-07-09 18:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-15 18:03 . 2009-09-15 18:03 19763 ----a-w- c:\program files\Common Files\ejujuraryj.lib
2009-09-06 20:23 . 2009-09-06 20:23 14766 ----a-w- c:\documents and settings\All Users\Application Data\vahu.dat
2009-09-04 00:28 . 2008-07-01 21:59 37 ----a-w- c:\documents and settings\default\jagex_runescape_preferences.dat
2009-08-16 19:04 . 2009-05-23 14:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 19:04 . 2008-01-27 03:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 19:04 . 2009-05-23 14:43 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\MSBuild
2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 05:44 . 2009-08-08 05:43 -------- d-----w- c:\program files\MSXML 6.0
2009-08-05 09:01 . 2008-01-23 03:28 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:36 . 2008-08-29 04:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 19:36 . 2008-08-29 04:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2008-01-23 03:25 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 18:21 . 2008-01-23 03:34 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 18:16 . 2008-01-29 04:22 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-03 17:09 . 2008-01-23 03:31 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-01-23 03:30 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-01-23 03:29 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-01-23 03:29 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-01-23 03:28 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-01-23 03:27 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-01-23 03:27 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-01-23 03:27 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2000-10-13 22:56 . 2000-10-13 22:56 23357 ----a-w- c:\program files\folder.htt
.

------- Sigcheck -------

[-] 2009-09-15 00:57 . 5136045680D6EEFB0241B41160416438 . 27648 . . [------] . . c:\windows\SYSTEM32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-09-15_19.04.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:22 . 2009-09-16 05:22 49152 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-23 04:22 . 2009-09-15 18:38 49152 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-09-06 18:31 . 2009-09-15 18:38 16384 c:\windows\SYSTEM32\config\systemprofile\IETldCache\index.dat
+ 2009-09-06 18:31 . 2009-09-16 05:22 16384 c:\windows\SYSTEM32\config\systemprofile\IETldCache\index.dat
+ 2008-01-23 04:22 . 2009-09-16 05:22 49152 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2008-01-23 04:22 . 2009-09-15 18:38 49152 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2008-01-23 04:22 . 2009-09-16 05:22 360448 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-23 04:22 . 2009-09-15 18:38 360448 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-08 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\system32\spool\migrate.dll" [2004-08-04 30208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Filseclab Messenger.lnk - c:\program files\Common Files\Filseclab\FilMsg.exe [2007-7-30 315652]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 19:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"=c:\progra~1\MESSEN~1\msmsgs.exe /background
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
"CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"TaskMonitor"=c:\windows\taskmon.exe
"PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
"MULTIMEDIA KEYBOARD"=c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe
"LoadQM"=loadqm.exe
"HPAIO_PrintFolderMgr"=c:\windows\SYSTEM\hpoopm07.exe
"DownloadWare"="c:\program files\DownloadWare\dw.exe" /H
"SearchEnhancement"="c:\program files\SCBAR\V1\SCBAR.EXE" /U
"KodakCCS"=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NAV Agent"=c:\progra~1\NORTON~1\NAVAPW32.EXE
"RecoverFromReboot"=c:\windows\TEMP\RECOVE~1.EXE
"BJCFD"=c:\program files\BroadJump\Client Foundation\CFD.exe
"QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
"xfilter"="c:\program files\Filseclab\xfilter\xfilter.exe" -a

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [9/6/2009 7:52 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/23/2009 8:43 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/23/2009 8:43 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/23/2009 8:42 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2009 8:42 AM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1029456]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [5/25/2009 7:49 PM 36224]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-09-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 23:38
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(360)
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\MVOICE.VWP

- - - - - - - > 'lsass.exe'(416)
c:\windows\system32\WININET.dll
.
Completion time: 2009-09-16 23:43
ComboFix-quarantined-files.txt 2009-09-16 05:43
ComboFix2.txt 2009-09-15 19:16

Pre-Run: 3,530,883,072 bytes free
Post-Run: 3,535,831,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

241 --- E O F --- 2009-09-08 20:07
 
You must log in or register to reply here.
Back
Top