Completed all tasks. Hijack this log first them combofix log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:32 PM, on 11/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\PHASEO~1\C1LE~1\DCIMImp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Authentium\Firewall SDK\AuthFw.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\anything.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.earthlink.net/partner/more/m ... earch.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Phase One Media Reader] C:\PROGRA~1\PHASEO~1\C1LE~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/eng/partne ... nicode.cabO16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) -
http://dgl.microsoft.com/downloads/outc.cabO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: ADSService - EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: AuthFw - Authentium - C:\Program Files\Authentium\Firewall SDK\AuthFw.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 6343 bytes
ComboFix 08-11-28.02 - Rich Wilson 2008-11-28 19:54:43.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.460 [GMT -5:00]
Running from: c:\documents and settings\Rich Wilson\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\BM37334b6a.txt
c:\windows\system32\alhamxve.dll
c:\windows\system32\aphjzd.dll
c:\windows\system32\bkbbbvwy.dll
c:\windows\system32\bqsbqsyx.dll
c:\windows\system32\cbXPIbXr.dll.vir
c:\windows\system32\cbXRIcBS.dll
c:\windows\system32\ddgtvhrn.dll
c:\windows\system32\dwopnxeq.ini
c:\windows\system32\ecjcxfty.ini
c:\windows\system32\fgpytv.dll
c:\windows\system32\ialhajwk.dll
c:\windows\system32\jhkiur.dll
c:\windows\system32\kbemutis.dll
c:\windows\system32\lzjezj.dll
c:\windows\system32\ogramwvy.dll
c:\windows\system32\qexnpowd.dll
c:\windows\system32\rfsklu.dll
c:\windows\system32\SBcIRXbc.ini
c:\windows\system32\SBcIRXbc.ini2
c:\windows\system32\skozkk.dll
c:\windows\system32\ssqnkLed.dll
c:\windows\system32\Uututvut.ini
c:\windows\system32\vgeafvui.dll
c:\windows\system32\xufdfrob.dll
c:\windows\system32\yqrnpcdd.ini
c:\windows\Temp\tmp3.tmp
.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.
2008-11-21 16:03 . 2008-11-21 16:03 <DIR> d-------- C:\VundoFix Backups
2008-11-20 22:36 . 2008-11-20 22:36 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-19 11:32 . 2008-11-19 11:32 <DIR> d-------- c:\program files\Trend Micro
2008-11-19 10:22 . 2008-11-19 10:22 <DIR> d-------- c:\program files\Panda Security
2008-11-04 17:38 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys
2008-11-04 17:38 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DLLCACHE\mouhid.sys
2008-11-04 17:38 . 2001-08-17 14:02 9,600 --a------ c:\windows\SYSTEM32\DRIVERS\hidusb.sys
2008-11-04 17:38 . 2001-08-17 14:02 9,600 --a------ c:\windows\SYSTEM32\DLLCACHE\hidusb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-21 03:36 --------- d-----w c:\program files\Lavasoft
2008-11-09 19:24 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-09 15:51 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-15 16:57 332,800 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2008-09-04 16:42 1,106,944 ------w c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-02-21 01:25 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2007-08-19 17:13 95,456 ----a-w c:\documents and settings\Rich Wilson\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2005-09-01 942080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ink Monitor"="c:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2001-12-07 258118]
"Phase One Media Reader"="c:\progra~1\PHASEO~1\C1LE~1\DCIMImp.exe" [2005-12-07 229376]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]
"Earthlink Protection Control Center"="c:\program files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" [2007-11-15 58856]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 c:\windows\SYSTEM32\bthprops.cpl]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE [2002-06-08 135680]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-07-06 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
R0 adwarealert;adwarealert;c:\windows\system32\DRIVERS\adwarealert.sys [2008-02-23 19696]
R0 GRFILTER;CS NDIS Driver;c:\windows\system32\drivers\GRFILTER.sys [2007-04-11 22528]
R2 EarthLinkMonitor;EarthLink Monitor Service;"c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe" [2005-01-26 65604]
R2 GRTdiMon;GR TDI Mon;c:\windows\system32\Drivers\GRTdiMon.sys [2007-04-11 42496]
R2 WUSB54Gv4SVC;WUSB54Gv4SVC;"c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe" [2006-04-06 41025]
R3 AuthFw;AuthFw;"c:\program files\Authentium\Firewall SDK\AuthFw.exe" [2007-04-05 495616]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [2004-11-01 17536]
S1 anftdird.sys;anftdird.sys; []
S3 ADSFilter;ADSFilter - (EarthLink Filter Driver);c:\windows\system32\drivers\ADSFilter.sys [2007-08-03 57456]
S3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);c:\windows\system32\drivers\ADSMonitor.sys [2007-08-03 38384]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;\??\c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectDriver.sys [2007-04-26 151832]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;\??\c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [2007-04-26 31000]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;\??\c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectShim.sys [2006-10-16 38632]
S4 hpt3xx;hpt3xx;c:\windows\system32\DRIVERS\hpt3xx.sys [2001-08-17 38144]
.
- - - - ORPHANS REMOVED - - - -
BHO-{70A8249B-A228-47C9-814D-161EB6DD03D3} - c:\windows\system32\cbXRIcBS.dll
BHO-{83502367-2679-4925-B4FC-CF0507EAF85E} - c:\windows\system32\tuvtutuU.dll
BHO-{bcd4c7f0-d173-47f7-95f8-d1ed426115cb} - c:\windows\system32\skozkk.dll
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
ShellExecuteHooks-{AF209DB6-29BB-4F8B-84E8-2056EA999610} - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Rich Wilson\Application Data\Mozilla\Firefox\Profiles\rj7raph1.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
hxxp://en-US.start2.mozilla.com/firefox ... S:officialFF -: plugin - c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-11-28 20:02:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(700)
c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Phase One\C1 LE\DCIMImp.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\windows\SYSTEM32\ntvdm.exe
.
**************************************************************************
.
Completion time: 2008-11-28 20:07:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 01:07:05
ComboFix2.txt 2008-03-25 23:18:05
Pre-Run: 58,161,844,224 bytes free
Post-Run: 58,348,331,008 bytes free
161 --- E O F --- 2008-11-11 21:25:14
Thanks