Edit: About the "Albany Inn" thing, this used to be my boss' business computer, however it has since been retired to his children when he upgraded to a better model. It's an indian family, they don't mess with much but the youngest got the Antivirus 2009 problem on there in the first place. They are different in the way they do things, instead of changing the home page they made a link on the desktop to google and click on that.
Kapersky:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 13, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 13, 2008 17:57:19
Records in database: 1458326
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Files scanned: 64806
Threat name: 7
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 02:04:21
File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe Infected: not-a-virus:FraudTool.Win32.MSAntivirus.cg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSmqxt.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfum.dll.vir Infected: Trojan.Win32.Agent.arvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSofxh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Downloader.Win32.Agent.asqr 1
The selected area was scanned.
Combofix:
ComboFix 08-12-11.04 - Owner 2008-12-13 22:21:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.73 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081210145901203.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081210150336250.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081210165734421.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081210181306953.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081210182849375.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081211181236843.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081211194533078.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081211211436593.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
.
--------------- FCopy ---------------
c:\windows\system32\stu2.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.
2008-12-13 22:19 . 2008-12-13 22:20 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2008-12-11 19:49 . 2008-12-11 21:23 <DIR> d-------- C:\cfix
2008-12-10 13:50 . 2008-12-13 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
2008-12-09 15:31 . 2008-12-09 15:34 1,374 --a------ c:\windows\imsins.BAK
2008-12-04 22:40 . 2008-12-04 22:40 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 22:07 . 2008-12-04 22:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-04 22:07 . 2008-12-04 22:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 21:07 . 2008-12-04 21:07 <DIR> d-------- c:\program files\Lavasoft
2008-12-04 21:07 . 2008-12-04 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-04 21:06 . 2008-12-04 21:06 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-04 14:41 . 2008-12-04 14:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 14:41 . 2008-12-04 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 14:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 14:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 14:30 . 2008-12-04 14:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks
2008-12-04 14:30 . 2008-12-04 14:30 <DIR> d-------- c:\documents and settings\Administrator
2008-11-28 01:37 . 2008-11-28 01:37 <DIR> d-------- c:\documents and settings\Albany Inn\Application Data\Juniper Networks
2008-11-28 01:36 . 2008-11-28 01:37 <DIR> d-------- c:\documents and settings\Albany Inn
2008-11-27 08:57 . 2008-12-04 16:20 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-26 10:52 . 2008-11-29 04:43 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-26 10:52 . 2008-11-26 10:52 <DIR> d-------- c:\program files\AVG
2008-11-26 10:52 . 2008-11-29 16:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-26 10:52 . 2008-11-26 10:52 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-26 10:52 . 2008-11-26 10:52 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-26 10:52 . 2008-11-26 10:52 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-25 13:57 . 2008-04-13 16:12 26,112 --------- c:\windows\system32\stu2.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 05:21 --------- d-----w c:\program files\GameHouse
2008-11-26 20:44 --------- d-----w c:\program files\Symantec
2008-11-26 20:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-26 19:14 --------- d-----w c:\program files\Shockwave.com
2008-11-26 19:01 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-26 18:59 --------- d-----w c:\program files\MySpace
2008-11-22 17:56 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-17 08:40 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-06-03 14:01 724,984 ----a-w c:\documents and settings\Owner\gotomypc_437.exe
2007-01-13 17:02 32 ----a-r c:\documents and settings\All Users\hash.dat
2006-11-28 23:50 563,712 ----a-w c:\documents and settings\Owner\gotomypc_370.exe
2008-08-11 03:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081020080811\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-09-13 4621816]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv50"= c:\windows\ir50_32.dll
"vidc.mpg4"= c:\windows\mpg4c32.dll
"vidc.mpg2"= c:\windows\mpg4c32.dll
"vidc.mpg3"= c:\windows\mpg4c32.dll
"vidc.MJPG"= c:\windows\m3jpeg32.dll
"vidc.dmb1"= c:\windows\m3jpeg32.dll
"vidc.GEOX"= c:\windows\system32\GeoCodec.dll
"vidc.GM20"= c:\windows\system32\GXGM20.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-11-27 02:04 1261336 c:\progra~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
-ra------ 2005-02-03 18:38 1851392 c:\program files\Support.com\bin\tgcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"spkrmon"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"aawservice"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-26 97928]
R1 NEOFLTR_550_12491;Juniper Networks TDI Filter Driver (NEOFLTR_550_12491);\??\c:\windows\system32\Drivers\NEOFLTR_550_12491.SYS [2007-12-25 64144]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-26 76040]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-26 875288]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-26 231704]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-02-11 24652]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1549de56-b82b-11dd-9212-0011115ceff6}]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5e13a39-242e-11db-90f7-0011115ceff6}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eade6503-c458-11dc-919b-0011115ceff6}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.albany-inn.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-12-13 22:23:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-13 22:27:18
ComboFix-quarantined-files.txt 2008-12-14 06:26:03
ComboFix2.txt 2008-12-12 05:22:13
Pre-Run: 26,922,360,832 bytes free
Post-Run: 26,990,141,440 bytes free
175 --- E O F --- 2008-12-09 23:35:16