[bluzrip]

Hello! Long time member, first time request for help... :normal:

My brother's PC has picked up Antivirus 2009, apparently through a Flash Player update ruse. Before he came to me he deleted the folder labeled "Antivirus 2009" in his program files.

This malware apparently tries hard to avoid its removal. I installed Malwarebytes' AntiMalware and HijackThis on advice from elsewhere. (I had to rename the installers before they would install; the same was true with GMER). I cannot get Malwarebytes' AntiMalware or Spybot S&D to run; the malware appears to block them somehow. I am also unable to update AVG Free. I have run HijackThis and produced a log if it is needed.

In accordance with your instructions, here are my GMER, DDS, and ATTACH files...

Any help would be most appreciated. Thank you for your kind assistance.


DDS (Version 1.0) - NTFSx86
Run by Chris at 13:26:15.42 on Wed 11/19/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.248 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\explorer32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chris\Desktop\sillybill.exe
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
BHO: {037C7B8A-151A-49E6-BAED-CC05FCB50328} - c:\windows\system32\winsrc.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [85211389743856697855676872738774] c:\program files\antivirus 2009\av2009.exe
uRun: [ieupdate] "c:\windows\system32\explorer32.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys
R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys
R2 KodakSvc;Kodak AiO Device Service;"c:\program files\kodak\printer\center\KodakSvc.exe"
R3 ati2mtaa;ati2mtaa;c:\windows\system32\drivers\ati2mtaa.sys

=============== Created Last 30 ================

2008-11-19 12:32 <DIR> --d----- c:\program files\Trend Micro
2008-11-19 12:24 0 a------- c:\windows\system32\winsrc.dll.tmp
2008-11-19 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-19 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-19 10:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-19 10:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-17 14:37 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2008-11-17 14:37 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-11-17 14:37 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-11-17 14:37 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-11-17 14:37 <DIR> --d----- c:\program files\AVG
2008-11-17 14:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-11-14 11:55 364,032 a------- c:\windows\system32\winsrc.BAK
2008-11-14 11:53 119,296 a------- c:\windows\system32\explorer32.exe
2008-11-14 11:53 119,296 a------- c:\windows\system32\ieupdates.exe
2008-11-12 15:49 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 15:49 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-10-24 08:25 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll

==================== Find3M ====================

2008-11-19 11:01 <DIR> --d----- c:\program files\SpywareBlaster
2008-10-19 15:04 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-10-12 08:30 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-13 09:30 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-09 20:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-04 12:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-07-15 20:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-06-03 17:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Eastman Kodak Company
2008-04-12 06:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\kds_kodak
2008-01-09 19:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kodak
2008-01-07 19:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBT

============= FINISH: 13:26:56.07 ===============

 

[bluzrip]

I noticed in another thread regarding Antivirus 2009 that tetonbob instructed wadethetinter to use ComboFix. I've followed the instructions there and my log is below. Note that I made certain that I had an internet connection, but it failed to install Windows Recovery Console anyway.

Any help is greatly appreciated.

ComboFix 08-11-19.08 - Chris 2008-11-20 14:29:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.252 [GMT -5:00]

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\TDSSmhxt.sys
c:\windows\system32\explorer32.exe
c:\windows\system32\ieupdates.exe
c:\windows\system32\TDSScfgb.dll
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSliqp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoeqh.dll
c:\windows\system32\TDSSosvn.dat
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSSthym.log
c:\windows\system32\TDSStkdv.log
c:\windows\system32\winsrc.dll.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-20 00:50 . 2008-11-20 00:50 <DIR> d-------- c:\program files\CCleaner
2008-11-19 20:01 . 2008-11-19 20:01 552 --a------ c:\windows\system32\d3d8caps.dat
2008-11-19 12:32 . 2008-11-19 12:32 <DIR> d-------- c:\program files\Trend Micro
2008-11-19 10:59 . 2008-11-19 10:59 0 --a------ c:\windows\nsreg.dat
2008-11-19 10:19 . 2008-11-19 10:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-19 10:19 . 2008-11-19 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-19 10:19 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-19 10:19 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-19 09:53 . 2008-11-19 09:53 <DIR> d-------- c:\documents and settings\Administrator
2008-11-17 14:37 . 2008-11-17 14:37 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-17 14:37 . 2008-11-17 14:37 <DIR> d-------- c:\program files\AVG
2008-11-17 14:37 . 2008-11-19 11:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-17 14:37 . 2008-11-17 14:37 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-17 14:37 . 2008-11-17 14:37 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-17 14:37 . 2008-11-17 14:37 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-14 11:55 . 2008-11-19 09:32 364,032 --a------ c:\windows\system32\winsrc.BAK
2008-11-12 15:49 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 15:49 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-04 15:29 . 2008-11-04 15:29 <DIR> d-------- c:\windows\Sun
2008-10-24 08:25 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 19:32 3,969,056 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-20 19:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-20 19:19 --------- d-----w c:\program files\SpywareBlaster
2008-11-20 05:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-17 13:39 47,624 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-05 20:03 --------- d-----w c:\documents and settings\Chris\Application Data\U3
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-12 13:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2002-09-11 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-11-13 1052672]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-17 1234712]
"VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 c:\windows\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 c:\windows\soundman.exe]
"AtiPTA"="atiptaxx.exe" [2001-09-26 c:\windows\system32\atiptaxx.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-17 97928]
R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2008-01-05 13696]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-17 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-17 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-17 76040]
R2 KodakSvc;Kodak AiO Device Service;"c:\program files\Kodak\printer\center\KodakSvc.exe" [2007-12-13 18944]
R3 ati2mtaa;ati2mtaa;c:\windows\system32\DRIVERS\ati2mtaa.sys [2008-01-07 285088]

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\49cu9d5g.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 14:32:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmhxt.sys"
.
Completion time: 2008-11-20 14:33:55
ComboFix-quarantined-files.txt 2008-11-20 19:33:49

Pre-Run: 93,932,269,568 bytes free
Post-Run: 93,917,003,776 bytes free

132 --- E O F --- 2008-11-12 21:30:40

 

[bluzrip]

I failed to note that I downloaded the KB310994 update and dropped it on Combo-Fix. I got one message indicating that the Recovery Console had been installed followed later by a message saying the opposite (because I did not have an active internet connection... which is not true.) :normal:

EDIT: the updated log below indicates that Windows Recovery Console did install. :smile:


ComboFix 08-11-19.08 - Chris 2008-11-20 15:09:29.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.229 [GMT -5:00]
Running from: c:\documents and settings\Chris\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-20 00:50 . 2008-11-20 00:50 <DIR> d-------- c:\program files\CCleaner
2008-11-19 20:01 . 2008-11-19 20:01 552 --a------ c:\windows\system32\d3d8caps.dat
2008-11-19 12:32 . 2008-11-19 12:32 <DIR> d-------- c:\program files\Trend Micro
2008-11-19 10:59 . 2008-11-19 10:59 0 --a------ c:\windows\nsreg.dat
2008-11-19 10:19 . 2008-11-19 10:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-19 10:19 . 2008-11-19 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-19 10:19 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-19 10:19 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-19 09:53 . 2008-11-19 09:53 <DIR> d-------- c:\documents and settings\Administrator
2008-11-17 14:37 . 2008-11-17 14:37 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-17 14:37 . 2008-11-17 14:37 <DIR> d-------- c:\program files\AVG
2008-11-17 14:37 . 2008-11-19 11:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-17 14:37 . 2008-11-17 14:37 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-17 14:37 . 2008-11-17 14:37 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-17 14:37 . 2008-11-17 14:37 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-14 11:55 . 2008-11-19 09:32 364,032 --a------ c:\windows\system32\winsrc.BAK
2008-11-12 15:49 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 15:49 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-04 15:29 . 2008-11-04 15:29 <DIR> d-------- c:\windows\Sun
2008-10-24 08:25 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 20:12 4,202,528 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-20 19:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-20 19:19 --------- d-----w c:\program files\SpywareBlaster
2008-11-20 05:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-17 13:39 47,624 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-05 20:03 --------- d-----w c:\documents and settings\Chris\Application Data\U3
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-12 13:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2002-09-11 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-11-13 1052672]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-17 1234712]
"VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 c:\windows\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 c:\windows\soundman.exe]
"AtiPTA"="atiptaxx.exe" [2001-09-26 c:\windows\system32\atiptaxx.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-17 97928]
R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2008-01-05 13696]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-17 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-17 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-17 76040]
R2 KodakSvc;Kodak AiO Device Service;"c:\program files\Kodak\printer\center\KodakSvc.exe" [2007-12-13 18944]
R3 ati2mtaa;ati2mtaa;c:\windows\system32\DRIVERS\ati2mtaa.sys [2008-01-07 285088]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\49cu9d5g.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 15:12:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-20 15:13:40
ComboFix-quarantined-files.txt 2008-11-20 20:13:33
ComboFix2.txt 2008-11-20 19:50:09
ComboFix3.txt 2008-11-20 19:33:57

Pre-Run: 93,869,711,360 bytes free
Post-Run: 93,843,947,520 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

121 --- E O F --- 2008-11-12 21:30:40