I had IE7 hijacked. Searches would lead to proper looking results but wrong URL's. URL's were mostly shopping and antivirus sites. Windows update would fail due to it reading IE7 as IE5 and I upgraded to IE8 Beta to try to resolve this. I have followed the whole "Spyware Removal Guide". Had to uninstall Ad-aware to load AVG. The following are after running all recomended programs per the guide. Let me know what you think.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:13:34, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = Dell Start Page
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1229828095515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1229828084625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grigsbydds.local
O17 - HKLM\Software\..\Telephony: DomainName = grigsbydds.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grigsbydds.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grigsbydds.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 4878 bytes
_________________________________________________
ComboFix 09-02-19.01 - hy1 2009-02-21 17:40:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.617 [GMT -6:00]
Running from: c:\documents and settings\hy1\My Documents\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wdmaud.sys
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.
2009-02-21 14:33 . 2009-02-21 14:33 <DIR> d-------- C:\VundoFix Backups
2009-02-21 14:17 . 2009-02-21 14:17 <DIR> d-------- c:\program files\Trend Micro
2009-02-21 14:09 . 2009-02-21 14:09 <DIR> d-------- c:\program files\CCleaner
2009-02-21 14:03 . 2009-02-21 14:03 <DIR> d-------- c:\program files\CleanUp!
2009-02-21 13:24 . 2009-02-21 13:24 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-02-21 12:56 . 2009-02-21 12:56 <DIR> d-------- c:\program files\7-Zip
2009-02-21 10:41 . 2009-02-21 10:41 <DIR> d-------- c:\documents and settings\hy1\Application Data\Malwarebytes
2009-02-21 10:41 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-21 10:40 . 2009-02-21 10:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 10:40 . 2009-02-21 10:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-21 10:40 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-15 16:00 . 2009-02-15 16:00 <DIR> d--hs---- c:\documents and settings\hy1\PrivacIE
2009-02-15 16:00 . 2009-02-15 16:00 <DIR> d--hs---- c:\documents and settings\hy1\IETldCache
2009-02-15 15:53 . 2009-02-15 15:53 <DIR> d--h-c--- c:\windows\ie8
2009-02-15 13:13 . 2009-02-15 13:13 <DIR> d-------- c:\program files\Panda Security
2009-02-13 19:56 . 2009-02-13 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-13 19:56 . 2009-02-21 14:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-13 18:55 . 2009-02-13 18:13 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-13 18:13 . 2009-02-13 18:13 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-13 18:13 . 2009-02-13 18:13 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-13 18:11 . 2009-02-13 18:11 <DIR> d-------- c:\program files\Lavasoft
2009-02-13 18:11 . 2009-02-13 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-13 18:11 . 2009-02-13 18:11 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 23:37 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-21 20:27 --------- d-----w c:\program files\Google
2009-02-14 02:37 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-15 08:17 636,264 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-01-15 08:17 392,040 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-01-15 08:13 5,888,512 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-15 08:12 10,963,968 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-01-15 08:06 236,544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-01-15 08:06 105,984 ----a-w c:\windows\system32\dllcache\url.dll
2009-01-15 08:06 1,182,720 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-01-15 08:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 08:05 911,872 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-01-15 08:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 08:05 43,008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-01-15 08:05 193,536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-01-15 08:05 109,056 ----a-w c:\windows\system32\dllcache\occache.dll
2009-01-15 08:04 755,200 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-01-15 08:04 25,600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-01-15 08:04 18,944 ----a-w c:\windows\system32\dllcache\corpol.dll
2009-01-15 08:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 08:02 611,840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-01-15 08:02 593,920 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-01-15 08:02 1,975,296 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-01-15 08:01 66,560 ----a-w c:\windows\system32\dllcache\mshtmled.dll
2009-01-15 08:01 59,904 ----a-w c:\windows\system32\dllcache\icardie.dll
2009-01-15 08:01 54,272 ----a-w c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-15 08:01 46,592 ----a-w c:\windows\system32\dllcache\pngfilt.dll
2009-01-15 08:01 348,160 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
2009-01-15 08:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 08:01 34,304 ----a-w c:\windows\system32\dllcache\imgutil.dll
2009-01-15 08:01 216,064 ----a-w c:\windows\system32\dllcache\dxtrans.dll
2009-01-15 08:01 183,808 ----a-w c:\windows\system32\dllcache\iepeers.dll
2009-01-15 08:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 08:00 48,128 ----a-w c:\windows\system32\dllcache\mshtmler.dll
2009-01-15 08:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 08:00 45,568 ----a-w c:\windows\system32\dllcache\mshta.exe
2009-01-15 07:53 68,608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-01-15 07:50 156,160 ----a-w c:\windows\system32\msls31.dll
2009-01-15 07:50 156,160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-01-15 07:35 445,440 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2008-12-21 02:54 --------- d-----w c:\program files\Java
2008-06-01 00:58 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008053120080601\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-06-25 771440]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 116328]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIXL"= pclepixl.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.NTN1"= NUVision.ax
"aux"= wdmaud.sys
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-13 64160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-01-19 109616]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 NUVision;Pinnacle DVC 80 Video;c:\windows\system32\drivers\nuvvid2.sys [2008-01-22 155264]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-02-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-13 18:13]
2009-01-31 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - hy1.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-06-26 02:27]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
.
------- Supplementary Scan -------
.
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 17:42:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-02-21 17:43:43
ComboFix-quarantined-files.txt 2009-02-21 23:43:40
Pre-Run: 67,695,071,232 bytes free
Post-Run: 67,677,732,864 bytes free
169
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:13:34, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = Dell Start Page
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1229828095515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1229828084625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grigsbydds.local
O17 - HKLM\Software\..\Telephony: DomainName = grigsbydds.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grigsbydds.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grigsbydds.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 4878 bytes
_________________________________________________
ComboFix 09-02-19.01 - hy1 2009-02-21 17:40:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.617 [GMT -6:00]
Running from: c:\documents and settings\hy1\My Documents\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wdmaud.sys
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.
2009-02-21 14:33 . 2009-02-21 14:33 <DIR> d-------- C:\VundoFix Backups
2009-02-21 14:17 . 2009-02-21 14:17 <DIR> d-------- c:\program files\Trend Micro
2009-02-21 14:09 . 2009-02-21 14:09 <DIR> d-------- c:\program files\CCleaner
2009-02-21 14:03 . 2009-02-21 14:03 <DIR> d-------- c:\program files\CleanUp!
2009-02-21 13:24 . 2009-02-21 13:24 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-02-21 12:56 . 2009-02-21 12:56 <DIR> d-------- c:\program files\7-Zip
2009-02-21 10:41 . 2009-02-21 10:41 <DIR> d-------- c:\documents and settings\hy1\Application Data\Malwarebytes
2009-02-21 10:41 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-21 10:40 . 2009-02-21 10:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 10:40 . 2009-02-21 10:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-21 10:40 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-15 16:00 . 2009-02-15 16:00 <DIR> d--hs---- c:\documents and settings\hy1\PrivacIE
2009-02-15 16:00 . 2009-02-15 16:00 <DIR> d--hs---- c:\documents and settings\hy1\IETldCache
2009-02-15 15:53 . 2009-02-15 15:53 <DIR> d--h-c--- c:\windows\ie8
2009-02-15 13:13 . 2009-02-15 13:13 <DIR> d-------- c:\program files\Panda Security
2009-02-13 19:56 . 2009-02-13 19:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-13 19:56 . 2009-02-21 14:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-13 18:55 . 2009-02-13 18:13 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-13 18:13 . 2009-02-13 18:13 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-13 18:13 . 2009-02-13 18:13 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-13 18:11 . 2009-02-13 18:11 <DIR> d-------- c:\program files\Lavasoft
2009-02-13 18:11 . 2009-02-13 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-13 18:11 . 2009-02-13 18:11 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 23:37 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-21 20:27 --------- d-----w c:\program files\Google
2009-02-14 02:37 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-15 08:17 636,264 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-01-15 08:17 392,040 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-01-15 08:13 5,888,512 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-15 08:12 10,963,968 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-01-15 08:06 236,544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-01-15 08:06 105,984 ----a-w c:\windows\system32\dllcache\url.dll
2009-01-15 08:06 1,182,720 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-01-15 08:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 08:05 911,872 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-01-15 08:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 08:05 43,008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-01-15 08:05 193,536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-01-15 08:05 109,056 ----a-w c:\windows\system32\dllcache\occache.dll
2009-01-15 08:04 755,200 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-01-15 08:04 25,600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-01-15 08:04 18,944 ----a-w c:\windows\system32\dllcache\corpol.dll
2009-01-15 08:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 08:02 611,840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-01-15 08:02 593,920 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-01-15 08:02 1,975,296 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-01-15 08:01 66,560 ----a-w c:\windows\system32\dllcache\mshtmled.dll
2009-01-15 08:01 59,904 ----a-w c:\windows\system32\dllcache\icardie.dll
2009-01-15 08:01 54,272 ----a-w c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-15 08:01 46,592 ----a-w c:\windows\system32\dllcache\pngfilt.dll
2009-01-15 08:01 348,160 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
2009-01-15 08:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 08:01 34,304 ----a-w c:\windows\system32\dllcache\imgutil.dll
2009-01-15 08:01 216,064 ----a-w c:\windows\system32\dllcache\dxtrans.dll
2009-01-15 08:01 183,808 ----a-w c:\windows\system32\dllcache\iepeers.dll
2009-01-15 08:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 08:00 48,128 ----a-w c:\windows\system32\dllcache\mshtmler.dll
2009-01-15 08:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 08:00 45,568 ----a-w c:\windows\system32\dllcache\mshta.exe
2009-01-15 07:53 68,608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-01-15 07:50 156,160 ----a-w c:\windows\system32\msls31.dll
2009-01-15 07:50 156,160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-01-15 07:35 445,440 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2008-12-21 02:54 --------- d-----w c:\program files\Java
2008-06-01 00:58 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008053120080601\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-06-25 771440]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 116328]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIXL"= pclepixl.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.NTN1"= NUVision.ax
"aux"= wdmaud.sys
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-13 64160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-01-19 109616]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 NUVision;Pinnacle DVC 80 Video;c:\windows\system32\drivers\nuvvid2.sys [2008-01-22 155264]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-02-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-13 18:13]
2009-01-31 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - hy1.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-06-26 02:27]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
.
------- Supplementary Scan -------
.
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 17:42:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-02-21 17:43:43
ComboFix-quarantined-files.txt 2009-02-21 23:43:40
Pre-Run: 67,695,071,232 bytes free
Post-Run: 67,677,732,864 bytes free
169