Log Review Please

PHACINC · Sep 24, 2010

Picked up some kind of malware, I think from a webpage ad. Symptoms were (1) Goggle redirects and (2) "Microsoft Development Environment" popped up at random. Ran a full scan and here are the logs. Thank you in advance!

Dan
_________________________

ComboFix 10-09-24.03 - Dan Horton 09/24/2010 20:20:24.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.501.170 [GMT -5:00]
Running from: c:\documents and settings\Dan Horton\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared
c:\program files\Shared\lib.sig
c:\windows\system32\AutoRun.inf

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack

.
((((((((((((((((((((((((( Files Created from 2010-08-25 to 2010-09-25 )))))))))))))))))))))))))))))))
.

2010-09-25 01:17 . 2010-09-25 01:17 -------- d-----w- C:\found.000
2010-09-23 16:35 . 2010-09-23 16:35 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-01 02:37 . 2010-08-17 18:10 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-24 17:44 . 2008-11-23 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-21 20:52 . 2008-11-23 13:58 -------- d-----w- c:\program files\Google
2010-09-16 22:27 . 2010-02-19 16:37 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-10 13:37 . 2007-08-18 02:45 -------- d-----w- c:\program files\AutoCAD R14
2010-09-04 14:26 . 2007-08-08 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-08-17 13:17 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2004-08-10 16:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-16 15:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-06-30 12:31 . 2004-08-10 16:51 149504 ----a-w- c:\windows\system32\schannel.dll
2008-11-23 13:57 . 2008-11-23 13:57 1018008 ----a-w- c:\program files\Google_Updater.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-15 149280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-21 385024]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 21:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 09:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 9:54 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 9:54 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 9:54 AM 297752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 1:28 PM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-23 11:08]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:28]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/nwshp?tab=wn
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.14/uploader2.cab
.
.
------- File Associations -------
.
.scr=AutoCADScript
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-09-24 20:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-09-24 20:34:36
ComboFix-quarantined-files.txt 2010-09-25 01:34

Pre-Run: 51,722,870,784 bytes free
Post-Run: 52,209,463,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5181A98629F60B9556F0D780097C8E77
__________________________________

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4687

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

9/24/2010 8:51:19 PM
mbam-log-2010-09-24 (20-51-19).txt

Scan type: Quick scan
Objects scanned: 133568
Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
_____________________________________

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:53:21 PM, on 9/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Dan Horton\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google News
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Laptops, Desktop Computers, Monitors, Printers & PC Accessories | Dell
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.com/s/v/58.14/uploader2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1187187135687
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 7933 bytes

Osiris · Sep 27, 2010

Log looks good. Run combofix again and post its log

PHACINC · Sep 27, 2010

POST EDIT - UPDATE: AVG identifed these problems today, after running ComboFix and posting the log seen below. AVG does not appear to be able to deal with these infections.

"C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pciide.sys.vir";"Virus identified Win32/Patched.DX";"Deleted"

"C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1170\A0087224.dll";"Trojan horse Cryptic.BAE";"Infected"

"C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1170\A0087225.exe";"Trojan horse Generic19.ABYE";"Infected"

"C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1170\A0089336.sys";"Virus identified Win32/Patched.DX";"Infected"
________________________

ComboFix 10-09-26.04 - Dan Horton 09/27/2010 8:20.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.501.263 [GMT -5:00]
Running from: c:\documents and settings\Dan Horton\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 )))))))))))))))))))))))))))))))
.

2010-09-25 02:07 . 2010-09-25 02:08 -------- d-----w- C:\Virus and Malware Elimination
2010-09-25 01:42 . 2010-09-25 01:42 -------- d-----w- c:\documents and settings\Dan Horton\Application Data\Malwarebytes
2010-09-25 01:42 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-25 01:42 . 2010-09-25 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-25 01:42 . 2010-09-25 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-25 01:42 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-25 01:17 . 2010-09-25 01:17 -------- d-----w- C:\found.000
2010-09-23 16:35 . 2010-09-23 16:35 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-01 02:37 . 2010-08-17 18:10 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-26 19:46 . 2008-11-23 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-21 20:52 . 2008-11-23 13:58 -------- d-----w- c:\program files\Google
2010-09-16 22:27 . 2010-02-19 16:37 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-10 13:37 . 2007-08-18 02:45 -------- d-----w- c:\program files\AutoCAD R14
2010-09-04 14:26 . 2007-08-08 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-08-17 13:17 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2004-08-10 16:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-16 15:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-06-30 12:31 . 2004-08-10 16:51 149504 ----a-w- c:\windows\system32\schannel.dll
2008-11-23 13:57 . 2008-11-23 13:57 1018008 ----a-w- c:\program files\Google_Updater.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-15 149280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-21 385024]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 21:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 09:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 9:54 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 9:54 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 9:54 AM 297752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 1:28 PM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-23 11:08]

2010-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:28]

2010-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/nwshp?tab=wn
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.14/uploader2.cab
.
.
------- File Associations -------
.
.scr=AutoCADScript
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-09-27 08:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4052)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-27 08:31:57
ComboFix-quarantined-files.txt 2010-09-27 13:31
ComboFix2.txt 2010-09-25 01:34

Pre-Run: 52,014,370,816 bytes free
Post-Run: 52,162,367,488 bytes free

- - End Of File - - C96EDC67C61FC62AA3219D265961A4E1

Osiris · Sep 28, 2010

Disable system restore and run combofix again. Post its log

PHACINC · Sep 29, 2010

Disabled system restore, ran Combofix again, log split and posted in this and next post (forum software declared a single post too long, over 20,000 characters).
Dan
________________________

ComboFix 10-09-28.03 - Dan Horton 09/29/2010 9:09.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.501.131 [GMT -5:00]
Running from: c:\documents and settings\Dan Horton\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-25 02:07 . 2010-09-25 02:08 -------- d-----w- C:\Virus and Malware Elimination
2010-09-25 01:42 . 2010-09-25 01:42 -------- d-----w- c:\documents and settings\Dan Horton\Application Data\Malwarebytes
2010-09-25 01:42 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-25 01:42 . 2010-09-25 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-25 01:42 . 2010-09-25 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-25 01:42 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-25 01:17 . 2010-09-25 01:17 -------- d-----w- C:\found.000
2010-09-23 16:35 . 2010-09-23 16:35 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-29 13:48 . 2010-09-29 05:45 24486 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3166u3165wk.bin
2010-09-29 13:48 . 2010-09-29 05:12 108825 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_243d242kv.bin
2010-09-29 13:26 . 2007-08-18 02:45 -------- d-----w- c:\program files\AutoCAD R14
2010-09-28 22:27 . 2010-09-28 17:48 20042 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3165u3164uq.bin
2010-09-28 21:48 . 2008-11-23 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-28 13:48 . 2010-09-28 06:41 22904 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3164u3163iv.bin
2010-09-28 13:48 . 2010-09-28 05:02 317 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_242d241gl.bin
2010-09-27 22:27 . 2010-09-27 18:02 21421 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3163u3162jb.bin
2010-09-27 14:32 . 2010-09-27 06:42 29062 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3162u3161cm.bin
2010-09-27 14:32 . 2010-09-27 05:04 609 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_355d354cm.bin
2010-09-26 22:47 . 2010-09-26 18:48 45706 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3161u3160ua.bin
2010-09-26 14:32 . 2010-09-26 07:08 7623 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3160u3159hx.bin
2010-09-26 14:32 . 2010-09-26 05:29 1131 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_354d3539a.bin
2010-09-25 22:47 . 2010-09-25 17:52 38435 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3159u3158jm.bin
2010-09-25 14:33 . 2010-09-25 06:42 28393 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3158u3157iu.bin
2010-09-25 00:55 . 2010-09-24 17:23 26575 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3157u3156dz.bin
2010-09-24 13:06 . 2010-09-24 06:43 21127 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3156u3155sy.bin
2010-09-24 13:06 . 2010-09-24 05:00 837 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_353d352f.bin
2010-09-23 22:24 . 2010-09-23 18:43 47342 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3155u3154uz.bin
2010-09-23 22:24 . 2010-09-23 05:02 595 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_352d351wf.bin
2010-09-23 16:44 . 2010-09-22 13:57 5375774 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_2417a.bin
2010-09-23 16:44 . 2010-09-22 17:52 234255 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_351dt.bin
2010-09-23 16:42 . 2010-09-23 06:45 102400 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3154u3149xy.bin
2010-09-23 16:42 . 2010-09-22 17:52 1067 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_351d348dt.bin
2010-09-23 16:42 . 2010-09-22 13:57 7542 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_241d2397a.bin
2010-09-23 15:04 . 2010-09-23 06:43 23965 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3154u3153ey.bin
2010-09-22 23:47 . 2010-09-22 18:49 36812 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3153u3152xm.bin
2010-09-22 23:47 . 2010-09-22 17:52 731 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_351d349dt.bin
2010-09-22 23:47 . 2010-09-22 13:57 317 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_241d2407a.bin
2010-09-22 13:27 . 2010-09-22 06:44 22984 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3152u3150mz.bin
2010-09-22 13:27 . 2010-09-22 05:01 887 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_349d348sd.bin
2010-09-22 13:27 . 2010-09-22 05:00 7542 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_240d239sc.bin
2010-09-21 23:47 . 2010-09-21 18:42 41861 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3150u3149rp.bin
2010-09-21 20:52 . 2008-11-23 13:58 -------- d-----w- c:\program files\Google
2010-09-21 13:27 . 2010-09-21 06:43 21602 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3149u3148ix.bin
2010-09-21 13:27 . 2010-09-21 05:00 797 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_348d347ob.bin
2010-09-21 13:27 . 2010-09-21 05:00 4296 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_239d238ob.bin
2010-09-20 23:47 . 2010-09-20 17:10 30197 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3148u3147mr.bin
2010-09-20 13:27 . 2010-09-20 06:41 30992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3147u3146uc.bin
2010-09-20 13:27 . 2010-09-20 05:01 1906 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_347d346kb.bin
2010-09-20 13:27 . 2010-09-20 05:00 24577 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_238d237ka.bin
2010-09-19 23:47 . 2010-09-19 18:42 42846 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3146u3145rm.bin
2010-09-19 13:27 . 2010-09-19 06:41 32619 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3145u3144cd.bin
2010-09-18 23:47 . 2010-09-18 18:43 69668 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3144u3143ge.bin
2010-09-18 13:27 . 2010-09-18 06:41 101583 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3143u3142is.bin
2010-09-17 23:47 . 2010-09-17 18:42 38247 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3142u3140tb.bin
2010-09-17 13:27 . 2010-09-17 06:41 21064 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3140u3139qd.bin
2010-09-17 13:27 . 2010-09-17 05:00 807 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_346d34487.bin
2010-09-16 23:47 . 2010-09-16 18:41 42171 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3139u3138zh.bin
2010-09-16 23:47 . 2010-09-16 05:00 8467 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_344d31246.bin
2010-09-16 23:47 . 2010-09-16 05:00 7824 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_237d23646.bin
2010-09-16 22:27 . 2010-02-19 16:37 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-16 13:14 . 2010-09-16 06:41 26193 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3138u3137ej.bin
2010-09-15 22:54 . 2010-09-15 18:42 41045 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3137u3136kl.bin
2010-09-15 13:14 . 2010-09-15 06:44 15960 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3136u3135ef.bin
2010-09-15 13:14 . 2010-09-15 05:00 374771 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_236d2355.bin
2010-09-14 22:54 . 2010-09-14 18:41 27657 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3135u3134yi.bin
2010-09-14 13:14 . 2010-09-14 06:42 20660 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3134u3133ar.bin
2010-09-14 13:14 . 2010-09-10 05:00 9056 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_235d234fz.bin
2010-09-13 22:54 . 2010-09-13 18:41 14920 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3133u3132cl.bin
2010-09-13 13:14 . 2010-09-13 06:42 12858 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3132u3131pi.bin
2010-09-12 22:54 . 2010-09-12 18:40 17494 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3131u3130bd.bin
2010-09-12 13:14 . 2010-09-12 06:41 11005 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3130u3129ki.bin
2010-09-11 22:54 . 2010-09-11 18:42 31854 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3129u3128pc.bin
2010-09-11 13:14 . 2010-09-11 06:43 25285 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3128u3126ob.bin
2010-09-10 14:39 . 2010-09-10 07:14 38359 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3126u3125zc.bin
2010-09-09 22:42 . 2010-09-09 18:39 20825 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3125u3124lw.bin
2010-09-09 14:39 . 2010-09-09 06:41 30845 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3124u3123wu.bin
2010-09-09 14:39 . 2010-09-09 05:00 18992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_234d233by.bin
2010-09-08 22:42 . 2010-09-08 17:47 44630 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3123u3121he.bin
2010-09-08 22:42 . 2010-09-01 14:08 215726 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\f8fc57ux.bin
2010-09-08 14:39 . 2010-09-08 06:14 18638 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3121u3120gb.bin
2010-09-08 14:39 . 2010-08-31 17:31 54905 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\f8ls444r427di.bin
2010-09-08 14:39 . 2010-08-31 17:31 337 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\f8krnl445r436di.bin
2010-09-07 22:42 . 2010-09-07 18:49 38555 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3120u3119lc.bin
2010-09-07 14:39 . 2010-09-07 06:42 10101 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3119u3118fu.bin
2010-09-06 22:42 . 2010-09-06 18:41 34229 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3118u3117fe.bin
2010-09-06 14:39 . 2010-09-06 06:42 13305 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3117u3116bw.bin
2010-09-05 22:42 . 2010-09-05 18:41 7793 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3116u3115gv.bin
2010-09-05 14:39 . 2010-09-05 06:41 28088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3115u3114lh.bin
2010-09-05 14:39 . 2010-09-05 05:20 413430 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_233d232wd.bin
2010-09-04 22:42 . 2010-09-04 18:41 39740 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3114u3113cp.bin
2010-09-04 14:39 . 2010-09-04 06:42 13470 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3113u3112bp.bin
2010-09-04 14:26 . 2007-08-08 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-09-03 22:42 . 2010-09-03 18:41 43244 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3112u3111zm.bin
2010-09-03 14:39 . 2010-09-03 06:41 20112 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3111u3110xi.bin
2010-09-02 22:42 . 2010-09-02 18:56 35984 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3110u3108dv.bin
2010-09-02 14:39 . 2010-09-02 06:41 31029 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3108u3107iu.bin
2010-09-02 14:39 . 2010-09-02 05:53 8986 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_232d231l7.bin
2010-09-01 22:42 . 2010-09-01 18:41 51872 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3107u3106uz.bin
2010-09-01 14:39 . 2010-09-01 06:42 15966 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3106u3105uk.bin
2010-08-31 22:42 . 2010-08-31 18:41 25189 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3105u3104ui.bin
2010-08-31 22:42 . 2010-08-31 18:04 13440 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_231d230ef.bin
2010-08-31 14:39 . 2010-08-31 06:41 25847 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3104u3103mq.bin
2010-08-31 14:39 . 2010-08-31 05:00 44428 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_230d229sm.bin
2010-08-30 22:42 . 2010-08-30 18:41 23632 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3103u3102kx.bin
2010-08-30 14:39 . 2010-08-30 06:41 24320 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\download\u9iavi3102u3101lh.bin
2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-17 13:17 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2004-08-10 16:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

PHACINC · Sep 29, 2010

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-15 149280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-21 385024]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 21:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 09:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 9:54 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 9:54 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 9:54 AM 297752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 1:28 PM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-23 11:08]

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:28]

2010-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/nwshp?tab=wn
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.14/uploader2.cab
.
.
------- File Associations -------
.
.scr=AutoCADScript
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-09-29 09:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1632)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-29 09:25:37
ComboFix-quarantined-files.txt 2010-09-29 14:25
ComboFix2.txt 2010-09-27 13:31
ComboFix3.txt 2010-09-25 01:34

Pre-Run: 54,486,949,888 bytes free
Post-Run: 54,553,694,208 bytes free

- - End Of File - - 4D40E2190DBADE0AC411D43191809E3F

Osiris · Sep 29, 2010

run malwarebytes again and post its log so we can make sure it doesnt pick it up again.

PHACINC · Oct 1, 2010

Malwarebytes log below. AVG is also reporting no infections.
________________________________________

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4687

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

10/1/2010 8:44:35 AM
mbam-log-2010-10-01 (08-44-35).txt

Scan type: Quick scan
Objects scanned: 135935
Time elapsed: 6 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Osiris · Oct 5, 2010

Looks good

Log Review Please

PHACINC

Solid State Member

Osiris

Golden Master

PHACINC

Solid State Member

Osiris

Golden Master

PHACINC

Solid State Member

PHACINC

Solid State Member

Osiris

Golden Master

PHACINC

Solid State Member

Osiris

Golden Master

Similar threads