I'm new to this so I hope I'm doing it right

[capta]

a few days ago I picked up something that has caused me a lot of trouble. Most importantly, it has destroyed the system restore on the computer.
I have used spybot s&d, spyware blaster, spyware doctor w/ anti-virus, AVG (it was on the computer when I got it), and several online anti-virus programs and none will eliminate the problem.
Spyware doctor is keeping it under control (preventing desktop changes, etc.).
I have found some file names and removed them from the registry repeatedly, but they reappear. I've removed them in safe mode too, but to no avail.
It was identified by one program as trojan horse generic_coyj, but could not be removed or quarantined.
The errant files are as follows;
C:\WINDOWS\system32\phc1dgj0er0a.bmp
C:\WINDOWS\system32\blphc1dgi0er0a.scr
SMrhc5dgj0er0a
CMD/cdel"\C:\WINDOWS\system32\blpc1dgi0er0a
Win32/heur32\sysrest32.exe
SCRNSAVE.exe
These were all identified by the anti-virus software and I have been unable to locate some, though most 0er0a 's are reappearing in the registry.

my system info:
OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 2 Build 2600
thanks
OS Manufacturer Microsoft Corporation
System Name LAPTOP-04A6C888
System Manufacturer Dell Inc.
System Model Latitude D610
System Type X86-based PC
Processor x86 Family 6 Model 13 Stepping 8 GenuineIntel ~1596 Mhz
BIOS Version/Date Dell Inc. A03, 3/2/2005
SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32

 

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time.

I appreciate the information you have provided, once you have carefully read the "Before you Post" directions, then post a HJT log.

Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Thanks

 

[capta]

thanks, I reread it and did as requested and posted again

thanks, I reread it and did as requested and posted again as "please help lost system restore and my desk top keeps getting hijacked"

 

[capta]

oops here's scan

Maybe I'll get it right soonL
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:14 AM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [lphc1dgj0er0a] C:\WINDOWS\system32\lphc1dgj0er0a
O4 - HKLM\..\Run: [SMrhc5dgj0er0a] C:\Program Files\rhc5dgj0er0a\rhc5dgj0er0a
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA2059] command /c del "C:\WINDOWS\system32\blphc1dgj0er0a.scr_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9388] cmd /c del "C:\WINDOWS\system32\blphc1dgj0er0a.scr_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6897] command /c del "C:\WINDOWS\system32\blphc1dgj0er0a.scr_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2313] cmd /c del "C:\WINDOWS\system32\blphc1dgj0er0a.scr_old"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll WIKI.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7801 bytes

 

[pskelley]

Thanks for returning your HJJ log, read and follow all directions carefully and in the numbered order.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

2) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

 

[capta]

combofix

I don't believe I've down loaded combofix onto my computer.
If its on there, I bought this compter used, maybe the previous owner (an it tech) did?
So before I do anything, please tell me if it is there or is that a general warning?
Thanks,
Andrew

 

[pskelley]

No Andrew, what happens is folks download and run the program (even though the creator tells them it should be used under supervision) and the program must be updated almost daily to keep up with the new junk the hackers throw at us. To make sure we are using the newest database, we ask that any old versions be deleted and the program downloaded new from a link where sUBs maintains the databases. It is unlikely you have an old copy, so just follow the directions and post those logs.

Thanks...Phil

 

[capta]

as requested,, I hope

This time I read EVERY word carefully, several times.



ComboFix 08-08-21.02 - Laptop 2008-08-23 16:21:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.485 [GMT -4:00]
Running from: C:\Documents and Settings\Laptop\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\interclick.com
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\interclick.com\ud.sol
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\static.youku.com
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\static.youku.com\v1.0.0288\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\static.youku.com\v1.0.0304\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\static.youku.com\v1.0.0305\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\static.youku.com\v1.0.0307\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Program Files\Microsoft Security Adviser
C:\Program Files\Microsoft Security Adviser\msctrl.log
C:\Program Files\Microsoft Security Adviser\mssadv.log
C:\Program Files\Microsoft Security Adviser\mssadv_sp.log

.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-23 10:16 . 2008-08-23 10:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 08:14 . 2008-08-23 08:15 51 --a------ C:\WINDOWS\system32\work.ini
2008-08-23 08:11 . 2008-08-23 08:11 262,424 --a------ C:\WINDOWS\system32\hguest.exe
2008-08-23 08:11 . 2008-08-23 08:11 194,471 --a------ C:\WINDOWS\system32\pcguardmon.exe
2008-08-23 08:11 . 2008-08-23 08:11 216 --a------ C:\WINDOWS\system32\hgset.ini
2008-08-23 08:10 . 2008-08-23 08:10 89,724 --a------ C:\WINDOWS\system32\hgcheck.exe
2008-08-18 16:03 . 2008-08-18 16:03 <DIR> d-------- C:\Documents and Settings\Laptop\Application Data\Apple Computer
2008-08-18 16:02 . 2008-08-18 16:03 <DIR> d-------- C:\Program Files\iTunes
2008-08-18 16:02 . 2008-08-18 16:02 <DIR> d-------- C:\Program Files\iPod
2008-08-18 16:02 . 2008-08-18 16:02 <DIR> d-------- C:\Program Files\Bonjour
2008-08-18 16:01 . 2008-08-18 16:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-18 16:00 . 2008-08-18 16:00 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-18 15:59 . 2008-08-18 15:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-18 15:59 . 2008-08-18 15:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-18 15:15 . 2008-08-18 15:31 <DIR> d-------- C:\itunes music
2008-08-07 21:05 . 2008-08-07 21:05 <DIR> d-------- C:\kav
2008-08-07 19:42 . 2008-08-07 19:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-08-07 19:40 . 2008-08-07 19:40 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-06 00:39 . 2008-08-06 00:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-06 00:39 . 2008-08-06 00:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-06 00:38 . 2008-08-06 00:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 22:10 . 2008-08-21 22:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-02 22:10 . 2008-08-02 22:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 21:56 . 2008-08-21 22:36 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-02 16:47 . 2008-08-02 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-02 16:47 . 2008-08-05 02:42 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-08-02 16:45 . 2008-08-02 16:47 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-07-26 15:48 . 2008-07-26 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 20:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-23 20:17 --------- d-----w C:\Program Files\Spyware Doctor
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-02 21:50 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-02 21:50 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-02 21:50 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-06-26 01:21 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-26 01:21 --------- d-----w C:\Program Files\Belkin
2008-06-26 00:29 --------- d-----w C:\Documents and Settings\Laptop\Application Data\PC Tools
2008-06-25 17:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-25 17:48 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-25 17:48 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-06-25 17:48 --------- d-----w C:\Documents and Settings\Laptop\Application Data\Share-to-Web Upload Folder
2008-06-25 17:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-25 16:10 --------- d-----w C:\Program Files\VMware
2008-06-25 16:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-06-25 15:52 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-06-25 15:52 --------- d-----w C:\Documents and Settings\Laptop\Application Data\VMware
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lphc1dgj0er0a"="C:\WINDOWS\system32\lphc1dgj0er0a" [X]
"SMrhc5dgj0er0a"="C:\Program Files\rhc5dgj0er0a\rhc5dgj0er0a" [X]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-09-15 17:53 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-09-15 17:50 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-09-15 17:54 118784]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 15:13 176128]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 18:10 1392640]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-16 09:15 1177368]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-06-10 21:22 1163656]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 16:52 1585152]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll WIKI.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
-----c--- 2007-09-17 12:56 124200 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2006-11-05 12:22 221184 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-02 17:50]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2007-02-08 21:05]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-05 02:42]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-16 09:15]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-16 09:15]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 17:50]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-04-06 16:49]
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 02:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{538aeede-2eb0-11dd-ace9-005056c00008}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\RegCure Program Check.job
- G:\Program Files\RegCure\RegCure.exe [2007-08-02 12:20]

2008-07-13 C:\WINDOWS\Tasks\RegCure.job
- G:\Program Files\RegCure\RegCure.exe [2007-08-02 12:20]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 16:26:12
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 16:28:13
ComboFix-quarantined-files.txt 2008-08-23 20:28:08

Pre-Run: 18,467,389,440 bytes free
Post-Run: 18,578,030,592 bytes free

165 --- E O F --- 2008-08-12 21:24:15

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:23 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [lphc1dgj0er0a] C:\WINDOWS\system32\lphc1dgj0er0a
O4 - HKLM\..\Run: [SMrhc5dgj0er0a] C:\Program Files\rhc5dgj0er0a\rhc5dgj0er0a
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll WIKI.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7325 bytes

Thanks
Andrew

 

[pskelley]

Thanks for returning your information, proceed carefully like this:

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\lphc1dgj0er0a
C:\WINDOWS\system32\hguest.exe
C:\WINDOWS\system32\pcguardmon.exe
C:\WINDOWS\system32\hgcheck.exe

Folder::
C:\Program Files\rhc5dgj0er0a

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(may be gone)

O4 - HKLM\..\Run: [lphc1dgj0er0a] C:\WINDOWS\system32\lphc1dgj0er0a
O4 - HKLM\..\Run: [SMrhc5dgj0er0a] C:\Program Files\rhc5dgj0er0a\rhc5dgj0er0a

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the combofix log from CFScript, the MBAM log and a new HJT log.

Tell me how the computer is running now.

Thanks

 

[capta]

reply didn't post first time

Phil
As requested:


ComboFix 08-08-21.02 - Laptop 2008-08-23 16:21:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.485 [GMT -4:00]
Running from: C:\Documents and Settings\Laptop\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\interclick.com
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\interclick.com\ud.sol
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\static.youku.com
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\static.youku.com\v1.0.0288\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\static.youku.com\v1.0.0304\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\static.youku.com\v1.0.0305\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\#SharedObjects\QAWCH2AA\static.youku.com\v1.0.0307\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Laptop\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Program Files\Microsoft Security Adviser
C:\Program Files\Microsoft Security Adviser\msctrl.log
C:\Program Files\Microsoft Security Adviser\mssadv.log
C:\Program Files\Microsoft Security Adviser\mssadv_sp.log

.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-23 10:16 . 2008-08-23 10:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 08:14 . 2008-08-23 08:15 51 --a------ C:\WINDOWS\system32\work.ini
2008-08-23 08:11 . 2008-08-23 08:11 262,424 --a------ C:\WINDOWS\system32\hguest.exe
2008-08-23 08:11 . 2008-08-23 08:11 194,471 --a------ C:\WINDOWS\system32\pcguardmon.exe
2008-08-23 08:11 . 2008-08-23 08:11 216 --a------ C:\WINDOWS\system32\hgset.ini
2008-08-23 08:10 . 2008-08-23 08:10 89,724 --a------ C:\WINDOWS\system32\hgcheck.exe
2008-08-18 16:03 . 2008-08-18 16:03 <DIR> d-------- C:\Documents and Settings\Laptop\Application Data\Apple Computer
2008-08-18 16:02 . 2008-08-18 16:03 <DIR> d-------- C:\Program Files\iTunes
2008-08-18 16:02 . 2008-08-18 16:02 <DIR> d-------- C:\Program Files\iPod
2008-08-18 16:02 . 2008-08-18 16:02 <DIR> d-------- C:\Program Files\Bonjour
2008-08-18 16:01 . 2008-08-18 16:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-18 16:00 . 2008-08-18 16:00 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-18 15:59 . 2008-08-18 15:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-18 15:59 . 2008-08-18 15:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-18 15:15 . 2008-08-18 15:31 <DIR> d-------- C:\itunes music
2008-08-07 21:05 . 2008-08-07 21:05 <DIR> d-------- C:\kav
2008-08-07 19:42 . 2008-08-07 19:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-08-07 19:40 . 2008-08-07 19:40 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-06 00:39 . 2008-08-06 00:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-06 00:39 . 2008-08-06 00:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-06 00:38 . 2008-08-06 00:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 22:10 . 2008-08-21 22:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-02 22:10 . 2008-08-02 22:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 21:56 . 2008-08-21 22:36 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-02 16:47 . 2008-08-02 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-02 16:47 . 2008-08-05 02:42 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-08-02 16:45 . 2008-08-02 16:47 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-07-26 15:48 . 2008-07-26 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 20:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-23 20:17 --------- d-----w C:\Program Files\Spyware Doctor
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-02 21:50 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-02 21:50 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-02 21:50 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-06-26 01:21 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-26 01:21 --------- d-----w C:\Program Files\Belkin
2008-06-26 00:29 --------- d-----w C:\Documents and Settings\Laptop\Application Data\PC Tools
2008-06-25 17:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-25 17:48 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-25 17:48 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-06-25 17:48 --------- d-----w C:\Documents and Settings\Laptop\Application Data\Share-to-Web Upload Folder
2008-06-25 17:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-25 16:10 --------- d-----w C:\Program Files\VMware
2008-06-25 16:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-06-25 15:52 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-06-25 15:52 --------- d-----w C:\Documents and Settings\Laptop\Application Data\VMware
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lphc1dgj0er0a"="C:\WINDOWS\system32\lphc1dgj0er0a" [X]
"SMrhc5dgj0er0a"="C:\Program Files\rhc5dgj0er0a\rhc5dgj0er0a" [X]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-09-15 17:53 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-09-15 17:50 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-09-15 17:54 118784]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 15:13 176128]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 18:10 1392640]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-16 09:15 1177368]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-06-10 21:22 1163656]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 16:52 1585152]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll WIKI.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
-----c--- 2007-09-17 12:56 124200 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2006-11-05 12:22 221184 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-02 17:50]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2007-02-08 21:05]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-05 02:42]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-16 09:15]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-16 09:15]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 17:50]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-04-06 16:49]
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 02:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{538aeede-2eb0-11dd-ace9-005056c00008}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\RegCure Program Check.job
- G:\Program Files\RegCure\RegCure.exe [2007-08-02 12:20]

2008-07-13 C:\WINDOWS\Tasks\RegCure.job
- G:\Program Files\RegCure\RegCure.exe [2007-08-02 12:20]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 16:26:12
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 16:28:13
ComboFix-quarantined-files.txt 2008-08-23 20:28:08

Pre-Run: 18,467,389,440 bytes free
Post-Run: 18,578,030,592 bytes free

165 --- E O F --- 2008-08-12 21:24:15

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:23 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [lphc1dgj0er0a] C:\WINDOWS\system32\lphc1dgj0er0a
O4 - HKLM\..\Run: [SMrhc5dgj0er0a] C:\Program Files\rhc5dgj0er0a\rhc5dgj0er0a
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll WIKI.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7325 bytes

hope this is what you need
Thanks
Andrew

 

[pskelley]

Please be careful as we are working on your computer:sad:

Today, 16:35 #8
ComboFix 08-08-21.02 - Laptop 2008-08-23 16:21:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.485 [GMT -4:00]
Running from: C:\Documents and Settings\Laptop\Desktop\ComboFix.exe

Today, 17:09 #10
ComboFix 08-08-21.02 - Laptop 2008-08-23 16:21:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.485 [GMT -4:00]
Running from: C:\Documents and Settings\Laptop\Desktop\ComboFix.exe

as you can plainly see you have posted the same combofix log twice. I need the log from CFscript, it will end like this:

\Desktop\CFScript.txt

Look at the time and make sure the HJT log is run AFTER CFScript.

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:23 PM, on 8/23/2008

Thanks

 

[capta]

oops again

Phil
Sorry, the above I re-posted because it didn't show up when I came to look for your reply.
It is not the new one requested in your reply w/ the directions regarding the CFScript.
Andrew

 

[capta]

All ok???

Phil
I believe I read EVERYTHING correctly and carefully this time and below are the 3 logs requested.

ComboFix 08-08-21.02 - Laptop 2008-08-23 17:31:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.529 [GMT -4:00]
Running from: C:\Documents and Settings\Laptop\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Laptop\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\hgcheck.exe
C:\WINDOWS\system32\hguest.exe
C:\WINDOWS\system32\lphc1dgj0er0a
C:\WINDOWS\system32\pcguardmon.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hgcheck.exe
C:\WINDOWS\system32\hguest.exe
C:\WINDOWS\system32\pcguardmon.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-23 10:16 . 2008-08-23 10:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 08:14 . 2008-08-23 08:15 51 --a------ C:\WINDOWS\system32\work.ini
2008-08-23 08:11 . 2008-08-23 08:11 216 --a------ C:\WINDOWS\system32\hgset.ini
2008-08-18 16:03 . 2008-08-18 16:03 <DIR> d-------- C:\Documents and Settings\Laptop\Application Data\Apple Computer
2008-08-18 16:02 . 2008-08-18 16:03 <DIR> d-------- C:\Program Files\iTunes
2008-08-18 16:02 . 2008-08-18 16:02 <DIR> d-------- C:\Program Files\iPod
2008-08-18 16:02 . 2008-08-18 16:02 <DIR> d-------- C:\Program Files\Bonjour
2008-08-18 16:01 . 2008-08-18 16:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-18 16:00 . 2008-08-18 16:00 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-18 15:59 . 2008-08-18 15:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-18 15:59 . 2008-08-18 15:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-18 15:15 . 2008-08-18 15:31 <DIR> d-------- C:\itunes music
2008-08-07 21:05 . 2008-08-07 21:05 <DIR> d-------- C:\kav
2008-08-07 19:42 . 2008-08-07 19:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-08-07 19:40 . 2008-08-07 19:40 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-06 00:39 . 2008-08-06 00:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-06 00:39 . 2008-08-06 00:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-06 00:38 . 2008-08-06 00:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 22:10 . 2008-08-21 22:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-02 22:10 . 2008-08-02 22:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 21:56 . 2008-08-21 22:36 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-02 16:47 . 2008-08-02 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-02 16:47 . 2008-08-05 02:42 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-08-02 16:45 . 2008-08-02 16:47 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-07-26 15:48 . 2008-07-26 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 20:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-23 20:17 --------- d-----w C:\Program Files\Spyware Doctor
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-02 21:50 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-02 21:50 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-02 21:50 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-06-26 01:21 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-26 01:21 --------- d-----w C:\Program Files\Belkin
2008-06-26 00:29 --------- d-----w C:\Documents and Settings\Laptop\Application Data\PC Tools
2008-06-25 17:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-25 17:48 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-25 17:48 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-06-25 17:48 --------- d-----w C:\Documents and Settings\Laptop\Application Data\Share-to-Web Upload Folder
2008-06-25 17:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-25 16:10 --------- d-----w C:\Program Files\VMware
2008-06-25 16:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-06-25 15:52 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-06-25 15:52 --------- d-----w C:\Documents and Settings\Laptop\Application Data\VMware
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lphc1dgj0er0a"="C:\WINDOWS\system32\lphc1dgj0er0a" [X]
"SMrhc5dgj0er0a"="C:\Program Files\rhc5dgj0er0a\rhc5dgj0er0a" [X]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-09-15 17:53 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-09-15 17:50 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-09-15 17:54 118784]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 15:13 176128]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 18:10 1392640]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-16 09:15 1177368]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-06-10 21:22 1163656]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 16:52 1585152]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll WIKI.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
-----c--- 2007-09-17 12:56 124200 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2006-11-05 12:22 221184 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-02 17:50]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2007-02-08 21:05]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-05 02:42]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-16 09:15]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-16 09:15]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 17:50]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-04-06 16:49]
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 02:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{538aeede-2eb0-11dd-ace9-005056c00008}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\RegCure Program Check.job
- G:\Program Files\RegCure\RegCure.exe [2007-08-02 12:20]

2008-07-13 C:\WINDOWS\Tasks\RegCure.job
- G:\Program Files\RegCure\RegCure.exe [2007-08-02 12:20]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 17:34:51
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 17:36:28
ComboFix-quarantined-files.txt 2008-08-23 21:36:24
ComboFix2.txt 2008-08-23 20:28:15

Pre-Run: 18,565,074,944 bytes free
Post-Run: 18,551,652,352 bytes free

149 --- E O F --- 2008-08-12 21:24:15

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:22 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll WIKI.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7177 bytes

Phil
As you can see, Malware found nothing. Does that mean I'm ok now? I just checked and system restore is functioning, though I haven't used it, at least it is there. When should I set up a retore point ( you mentioned that a
start up file needs to repopulate)?
Andrew

 

[pskelley]

Malware found nothing.<<< is this MBAM? Are you sure, it should have found the items in the C:\Qoobox\Quarantine\ (which is the combofix quarantine items) also it normally would find some infected System Restore files.

you mentioned that a start up file needs to repopulate

<<< that is Prefetch, I posted a link to information.*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

If all is running well then let's do this next.

1) Turn on System Restore (if off) and create a new Restore Point.

2) I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

Thanks

 

[capta]

malware

Phil
here is the malware scan log:
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 17:34:51
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

I do not have the discs, and I do want the restore capability so i'll follow directions,, but, should I run malware again before we proceed with your last post?
Andrew

 

[capta]

malware scan

Phil
I think this is the correct file:

Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 2

6:48:57 PM 8/23/2008
mbam-log-08-23-2008 (18-48-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 72758
Time elapsed: 36 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Andrew

 

[pskelley]

Thanks Andrew, MBAM is clean, go ahead and install Recovery Console and post the C:\*CF-RC.txt* once it installed. If you read and follow the directions carefully, you will have no problems.

Thanks....Phil

 

[capta]

CF-RC.txt

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

[pskelley]

Looks good Andrew, here is some information about RC:
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.

We are finished with combofix, remove it like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

To be sure, clean System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update and run your resident programs, AVG 8 and Spyware Doctor, let me know how the computer is running at that point.

Thanks...Phil

 

[capta]

All done?

Phil
Spybot S&D found nothing, but Spyware doctor found 29 infections which it fixed.
Windows firewall wants me to turn it on. Should I?
What should I do with Hijack this, the AFT cleaner, mbam & the WindowsXP-KB310994-SP2-Pro-BootDisk-ENU file?
When I reboot, a full screen, black screen with white writing flashes very quickly saying something about what do I want to use to boot up, restore console or xp pro ??? , but the system goes on to boot properly, I believe. Otherwise, all seems ok.
Is there an anti-virus program you would recommend?
When tea timer is turned on it has been using 100% of my cpu (on windows task mgr) for about 10 minutes on start up. Is this normal? Really slows computer down!
Also, it seems the computer is running 45-48 processes; is there somewhere (online?) where I can find out which ones I can safely get rid of to improve performance?
Otherwise, thank you so very much for all the help. I am a captain w/ lots of boating (sail & power) experience, so if I can return the help in marine knowledge, please do not hesitate to ask.
Thanks again,
Andrew