Hi, done that, here is combofix.txt -
ComboFix 10-01-26.05 - Administrator 27/01/2010 12:58:52.1.1 - x86
Running from: C:\Combo-Fix.exe
.
/wow section - STAGE 10
'play.lnk' is not recognized as an internal or external command
'play.lnk' is not recognized as an internal or external command
'Malware' is not recognized as an internal or external command
'play.lnk' is not recognized as an internal or external command
'Malware' is not recognized as an internal or external command
'play.lnk' is not recognized as an internal or external command
'play.lnk' is not recognized as an internal or external command
'NIRCMD.exe' is not recognized as an internal or external command
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\inst.exe
c:\recycler\S-1-5-21-4061059247-1267991622-2069447697-500
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\SHELLLNK.TLB
c:\windows\system32\Thumbs.db
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.
2010-01-27 12:56 . 2010-01-27 13:07 -------- d-----w- C:\32788R22FWJFW
2010-01-27 12:43 . 2010-01-27 13:07 -------- d-----w- C:\Combo-Fix
2010-01-27 12:41 . 2010-01-27 12:41 3838105 ----a-r- C:\Combo-Fix.exe
2010-01-27 08:34 . 2010-01-24 12:57 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-27 08:34 . 2010-01-24 12:57 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-26 08:45 . 2010-01-26 08:45 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-26 08:45 . 2010-01-26 08:45 -------- d-----w- c:\program files\TrendMicro
2010-01-25 21:26 . 2010-01-25 21:26 724952 ----a-w- C:\avenger.zip
2010-01-25 20:56 . 2010-01-25 20:56 -------- d-----w- C:\fixy
2010-01-25 20:55 . 2010-01-25 20:55 284915 ----a-w- C:\fixy.zip
2010-01-25 20:48 . 2010-01-25 20:48 -------- d-----w- C:\fix
2010-01-25 20:47 . 2010-01-25 20:47 284915 ----a-w- C:\fix.zip
2010-01-25 20:28 . 2010-01-25 20:31 -------- d-----w- C:\gmer
2010-01-25 20:21 . 2010-01-25 20:21 -------- d-----w- C:\Autoruns
2010-01-25 20:18 . 2010-01-25 20:18 595499 ----a-w- C:\Autoruns.zip
2010-01-25 00:30 . 2010-01-25 00:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Threat Expert
2010-01-25 00:23 . 2010-01-25 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-01-25 00:23 . 2010-01-25 00:23 -------- d-----w- c:\program files\CCleaner
2010-01-25 00:20 . 2009-11-10 10:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-25 00:20 . 2009-11-10 10:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-25 00:20 . 2009-11-10 10:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-25 00:20 . 2009-11-10 10:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-25 00:20 . 2009-10-28 01:36 1152444 ----a-w- c:\windows\UDB.zip
2010-01-25 00:20 . 2008-11-26 12:08 131 ----a-w- c:\windows\IDB.zip
2010-01-25 00:20 . 2009-10-30 11:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-25 00:19 . 2009-11-09 11:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-25 00:19 . 2009-10-06 16:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-25 00:19 . 2009-09-03 09:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-25 00:19 . 2010-01-25 00:21 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-25 00:19 . 2010-01-25 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-24 23:30 . 2010-01-24 23:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-24 23:30 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-24 23:30 . 2010-01-24 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-24 23:30 . 2010-01-26 21:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 23:30 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-24 21:45 . 2009-11-25 13:02 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-01-24 13:18 . 2010-01-24 13:18 21277080 ----a-w- c:\documents and settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr709_en_US.exe
2010-01-24 12:58 . 2010-01-24 13:01 -------- d-----w- C:\$AVG
2010-01-24 12:58 . 2010-01-24 12:58 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-01-24 12:58 . 2010-01-24 12:58 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-01-24 12:58 . 2010-01-24 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-01-24 12:57 . 2010-01-24 12:57 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-01-24 12:57 . 2010-01-24 12:57 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-01-24 12:57 . 2010-01-24 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-24 12:57 . 2010-01-24 13:00 -------- d-----w- c:\windows\SxsCaPendDel
2010-01-24 08:33 . 2010-01-24 08:33 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-24 08:33 . 2010-01-24 08:33 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-14 21:59 . 2010-01-14 21:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-12 22:58 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 13:09 . 2009-02-26 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-01-27 13:06 . 2008-05-18 02:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-25 00:39 . 2008-05-18 02:15 -------- d-----w- c:\program files\Spyware Doctor
2010-01-25 00:23 . 2008-07-11 22:03 -------- d-----w- c:\program files\Yahoo!
2010-01-24 13:47 . 2004-08-03 21:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-24 12:58 . 2008-06-17 11:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-24 12:58 . 2008-06-17 11:46 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-24 12:58 . 2007-05-22 17:53 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-24 12:58 . 2008-07-02 19:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-24 12:57 . 2008-06-17 11:46 -------- d-----w- c:\program files\AVG
2010-01-24 08:35 . 2007-04-24 16:53 -------- d-----w- c:\program files\Java
2009-12-23 22:02 . 2007-08-15 13:38 -------- d-----w- c:\program files\MagicDVDCopier
2009-12-21 19:14 . 2004-09-10 13:57 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 15:51 . 2004-09-10 13:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:02 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\apps\SMP\SmpSys.exe" [2005-11-17 975360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-25 14477312]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 729178]
"AGRSMMSG"="AGRSMMSG.exe" [2005-05-11 88204]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-24 98304]
"STICAP"="c:\program files\Trust\WB-3500T USB2 Webcam\SnapTrap.exe" [2004-11-05 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"Logitech Utility"="LOGI_MWX.EXE" [2003-12-17 19968]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-24 2033432]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-24 12:58 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
R3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2010-01-24 30104]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-10-30 359624]
R3 SQTECH930B;Trust WB-3500T USB2 Webcam;c:\windows\system32\Drivers\Capt930b.sys [2005-04-21 273982]
S0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\System32\Drivers\AVGIDSxx.sys [2010-01-24 25608]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2010-01-24 161800]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-09 207792]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-01-24 333192]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-01-24 360584]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-01-24 285392]
S2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [2010-01-24 2304192]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe AVGIDSAgent [x]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2009-11-10 112592]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2010-01-24 30104]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [2010-01-24 122376]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [2010-01-24 30216]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [2010-01-24 25736]
.
Contents of the 'Scheduled Tasks' folder
2010-01-26 c:\windows\Tasks\User_Feed_Synchronization-{E2E6400E-7DD1-4CF6-BDEC-ECFD3105A0FD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.co.uk/uSearchURL,(Default) =
hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.comIE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} -
hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cabDPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} -
hxxp://www.king.com/ctl/kingcomie.cab.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-01-27 13:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3902241196-2789265861-811768785-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cf,af,e8,3f,f3,c8,5f,40,a6,18,1b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,81,31,1e,cb,d3,12,0f,42,ae,f7,bd,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cf,af,e8,3f,f3,c8,5f,40,a6,18,1b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1012)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\RTHDCPL.EXE
c:\windows\AGRSMMSG.exe
c:\windows\LOGI_MWX.EXE
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-01-27 13:12:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-27 13:12
Pre-Run: 90,707,156,992 bytes free
Post-Run: 90,720,174,080 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - CA52493A6A6BD497A04722814A6F7CE5