hijackthis log and combiolog below
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:30 PM, on 5/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone:
http://*.mcafee.comO16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) -
http://esupport.sony.com/VaioInfo.CABO16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) -
http://www.linkedin.com/cab/LinkedInCon ... ontrol.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windows ... 2569470828O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftup ... 2740102093O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 4893 bytes
ComboFix 09-05-20.A1 - Don Phipps 05/21/2009 12:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.313 [GMT -4:00]
Running from: c:\documents and settings\Don Phipps\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
c:\windows\system32\drivers\gxvxcydkavagrmkbcroulrkukopeykrhsdkeu.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcqjvcsxkuqaxjnukqxppqlfmixybqkmdy.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_GXVXCSERV.SYS
((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.
2009-05-20 11:20 . 2008-10-16 18:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-19 16:37 . 2009-05-19 16:37 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-19 14:13 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 14:13 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 14:13 . 2009-05-19 14:13 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 14:13 . 2009-05-19 14:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-19 14:03 . 2009-05-19 14:03 -------- d-sh--w c:\documents and settings\Don Phipps\PrivacIE
2009-05-19 14:01 . 2009-05-19 14:01 -------- d-sh--w c:\documents and settings\Don Phipps\IETldCache
2009-05-19 13:58 . 2009-05-19 13:58 -------- d-----w c:\windows\ie8updates
2009-05-19 13:58 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-19 13:56 . 2009-05-19 13:57 -------- dc-h--w c:\windows\ie8
2009-05-18 20:13 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-18 20:08 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-18 20:07 . 2009-05-18 20:07 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-18 20:06 . 2009-05-18 20:06 -------- d-----w c:\program files\Lavasoft
2009-05-18 20:06 . 2009-05-18 20:06 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 21:18 . 2009-01-23 15:31 -------- d-----w c:\program files\Trend Micro
2009-04-02 23:08 . 2009-01-23 15:34 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-02 23:08 . 2009-01-23 15:34 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 23:08 . 2009-01-23 15:34 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-02 21:23 . 2009-01-21 22:15 -------- d-----w c:\program files\Common Files\Adobe
2009-03-17 15:44 . 2009-01-21 23:29 1744 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-08 08:34 . 2008-04-14 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2008-04-14 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2008-04-14 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2008-04-14 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2008-04-14 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2008-04-14 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2008-04-14 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2008-04-14 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2008-04-14 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2008-04-14 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2008-04-14 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 02:17 . 2008-07-30 16:05 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-03-06 02:17 . 2008-07-30 16:05 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-03-06 02:17 . 2008-07-30 16:05 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-03-03 23:12 . 2008-07-30 16:05 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-03-03 09:08 . 2008-07-30 16:05 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-07-30 497008]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-1-21 98304]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/18/2009 4:08 PM 64160]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/23/2009 11:34 AM 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [1/23/2009 11:34 AM 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [7/30/2008 12:05 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [1/23/2009 11:34 AM 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [7/30/2008 12:05 PM 335376]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 951632]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-05-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
2009-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com/uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 0a000000
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 01000000
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 1a000000
uInternet Connection Wizard,ShellNext = 1a000000
uInternet Connection Wizard,ShellNext = Microsoft Corporation
uInternet Connection Wizard,ShellNext = MICROSO
uInternet Connection Wizard,ShellNext = 6.0.2600.0000
uInternet Connection Wizard,ShellNext = no
uInternet Connection Wizard,ShellNext = \
0uInternet Connection Wizard,ShellNext = about:NoAdd-ons
uInternet Connection Wizard,ShellNext = about:SecurityRisk
uInternet Connection Wizard,ShellNext = yes
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\office
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-05-21 12:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-05-21 12:47
ComboFix-quarantined-files.txt 2009-05-21 16:47
Pre-Run: 67,280,912,384 bytes free
Post-Run: 67,336,810,496 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
152 --- E O F --- 2009-05-13 07:01