Done, and done. Scouts honor I actually uninstalled those programs since we last spoke, and before I read this
. I'm not
so dumb. I had not installed Avast! until after I had done all the ComboFix and Hijackthis because I thought it would interfere. You should definitely see it now. Here is the ComboFix log first.
ComboFix 09-01-10.03 - Robert 2009-01-12 10:08:35.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1614 [GMT -6:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robert\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090112-0] *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\system32\ffkuz.dll
c:\windows\system32\k9261108.exe
c:\windows\Tasks\qfpdvosu.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Robert\Application Data\DNA
c:\documents and settings\Robert\Application Data\DNA\dht.dat
c:\documents and settings\Robert\Application Data\DNA\dht.dat.old
c:\documents and settings\Robert\Application Data\DNA\dna.lng
c:\documents and settings\Robert\Application Data\DNA\resume.dat
c:\documents and settings\Robert\Application Data\DNA\resume.dat.old
c:\documents and settings\Robert\Application Data\DNA\rss.dat
c:\documents and settings\Robert\Application Data\DNA\rss.dat.old
c:\documents and settings\Robert\Application Data\DNA\settings.dat
c:\documents and settings\Robert\Application Data\DNA\settings.dat.old
c:\documents and settings\Robert\Application Data\LimeWire
c:\documents and settings\Robert\Application Data\LimeWire\.AppSpecialShare\American Gods.torrent.bak
c:\documents and settings\Robert\Application Data\LimeWire\.AppSpecialShare\Neil.Gaiman.&Terry.Pratchett.-.Good.Omens.rar.torrent.bak
c:\documents and settings\Robert\Application Data\LimeWire\active.mojito
c:\documents and settings\Robert\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Robert\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Robert\Application Data\LimeWire\downloads.dat
c:\documents and settings\Robert\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Robert\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Robert\Application Data\LimeWire\filters.props
c:\documents and settings\Robert\Application Data\LimeWire\gnutella.net
c:\documents and settings\Robert\Application Data\LimeWire\installation.props
c:\documents and settings\Robert\Application Data\LimeWire\library.dat
c:\documents and settings\Robert\Application Data\LimeWire\limewire.props
c:\documents and settings\Robert\Application Data\LimeWire\mojito.props
c:\documents and settings\Robert\Application Data\LimeWire\passive.mojito
c:\documents and settings\Robert\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Robert\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Robert\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Robert\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Robert\Application Data\LimeWire\questions.props
c:\documents and settings\Robert\Application Data\LimeWire\responses.cache
c:\documents and settings\Robert\Application Data\LimeWire\simpp.xml
c:\documents and settings\Robert\Application Data\LimeWire\spam.dat
c:\documents and settings\Robert\Application Data\LimeWire\tables.props
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\
01_star.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\
02_star.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\
03_star.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\
04_star.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\
05_star.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Robert\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Robert\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Robert\Application Data\LimeWire\version.xml
c:\documents and settings\Robert\Application Data\LimeWire\versions.props
c:\documents and settings\Robert\Application Data\LimeWire\xml\data\audio.sxml2
c:\program files\DNA
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
C:\temp
c:\temp\ext18866\install.exe
c:\temp\ext18866\install.res.dll
c:\temp\REX81\BDF.log
c:\temp\SrtTrail.log
c:\temp\SrtTrail.txt
c:\windows\system32\ffkuz.dll
c:\windows\system32\k9261108.exe
c:\windows\system32\xn
c:\windows\Tasks\qfpdvosu.job
.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.
2009-01-11 13:22 . 2009-01-11 13:22 <DIR> d-------- c:\program files\Alwil Software
2009-01-11 13:22 . 2003-03-18 15:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-11 13:04 . 2009-01-11 13:05 250 --a------ c:\windows\gmer.ini
2009-01-10 20:00 . 2009-01-10 20:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-10 20:00 . 2009-01-10 20:00 <DIR> d-------- c:\documents and settings\Robert\Application Data\Malwarebytes
2009-01-10 20:00 . 2009-01-10 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-10 20:00 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 20:00 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 16:53 . 2009-01-07 16:53 <DIR> d-------- c:\program files\Trend Micro
2008-12-28 10:57 . 2009-01-11 12:58 <DIR> d-------- c:\program files\ThreatFire
2008-12-28 10:57 . 2009-01-11 12:58 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 10:53 . 2008-12-28 10:53 <DIR> d-------- c:\documents and settings\Robert\Application Data\AdobeUM
2008-12-28 10:46 . 2008-12-28 10:46 <DIR> d-------- c:\program files\BillP Studios
2008-12-28 10:46 . 2008-12-28 10:46 <DIR> d-------- c:\documents and settings\Robert\Application Data\WinPatrol
2008-12-27 22:47 . 2008-12-28 10:30 <DIR> d-------- c:\windows\SxsCaPendDel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 16:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 05:29 --------- d-----w c:\program files\ASUS
2008-12-28 04:47 --------- d-----w c:\program files\The Chronicles of Spellborn
2008-12-17 19:49 --------- d-----w c:\program files\World of Warcraft
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\SxsCaPendDel ----
((((((((((((((((((((((((((((( snapshot@2009-01-11_13.00.36.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-11 19:04:54 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 03:13:02 811,008 ----a-r c:\windows\gmer.exe
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2008-11-26 17:15:35 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:25 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:25 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:29 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2009-01-11 19:04:54 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-01-11 19:26:35 16,384 ----atw c:\windows\temp\Perflib_Perfdata_604.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-08 8523776]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-08 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"nwiz"="nwiz.exe" [2008-01-08 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 c:\windows\RTHDCPL.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-11 111184]
R1 EIO_XP;EIO_XP;c:\windows\system32\drivers\EIO_XP.sys [2008-06-28 12288]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-11 20560]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S3 Video3D;ASUS Video3D Service;c:\windows\system32\Drivers\Video3D32.sys --> c:\windows\system32\Drivers\Video3D32.sys [?]
S4 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - AAVMKER4
*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMON2
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - ASWUPDSV
*NewlyCreated* - AVAST!_ANTIVIRUS
*NewlyCreated* - AVAST!_MAIL_SCANNER
*NewlyCreated* - AVAST!_WEB_SCANNER
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a356b1f1-88f9-11dd-a02f-001fc6ab2ffd}]
\Shell\AutoRun\command - LinksysConnectPC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
Contents of the 'Scheduled Tasks' folder
2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\ubao93oa.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=FF - prefs.js: keyword.URL -
hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-12 10:09:36
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-12 10:10:47
ComboFix-quarantined-files.txt 2009-01-12 16:10:29
ComboFix2.txt 2009-01-11 19:01:29
Pre-Run: 133,396,983,808 bytes free
Post-Run: 133,383,540,736 bytes free
221 --- E O F --- 2008-12-18 09:00:48
And, the new Hijackthis.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:27 AM, on 1/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windows ... 1942519578O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microso ... 1945223593O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
--
End of file - 4306 bytes