UPDATE: AVG CORRECTED THEIR UPDATE AND SCAN THIS MORNING FOUND SMIT/FRAUDFIX/IEDFIX.EXE AND SYSTEM 32/IEDFI.EXE I moved to vault.
ComboFix 08-08-16.01 - 007 2008-08-16 20:13:16.8 - NTFSx86
Running from: C:\Documents and Settings\007\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\007\Application Data\macromedia\Flash Player\#SharedObjects\J78XNJNB\interclick.com
C:\Documents and Settings\007\Application Data\macromedia\Flash Player\#SharedObjects\J78XNJNB\interclick.com\ud.sol
C:\Documents and Settings\007\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\007\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\007\Application Data\Microsoft\SystemCertificates\My
C:\Documents and Settings\007\Cookies\0[email protected][1].txt
C:\Documents and Settings\007\Cookies\0[email protected][1].txt
C:\Documents and Settings\007\Cookies\007@apartments[1].txt
C:\Documents and Settings\007\Cookies\007@cc-dt[1].txt
C:\Documents and Settings\007\Cookies\007@circuitcity[1].txt
C:\Documents and Settings\007\Cookies\007@contextweb[1].txt
C:\Documents and Settings\007\Cookies\0[email protected][1].txt
C:\Documents and Settings\007\Cookies\0[email protected][1].txt
C:\Documents and Settings\007\Cookies\007@imiclk[2].txt
C:\Documents and Settings\007\Cookies\007@insightexpressai[2].txt
C:\Documents and Settings\007\Cookies\007@realmedia[1].txt
C:\Documents and Settings\007\Cookies\007@revsci[1].txt
C:\Documents and Settings\007\Cookies\0[email protected][1].txt
C:\Documents and Settings\007\Cookies\0[email protected][3].txt
C:\Documents and Settings\007\Cookies\0[email protected][2].txt
C:\Documents and Settings\007\Cookies\007@yahoo[1].txt
C:\Documents and Settings\007\Cookies\007@yahoo[3].txt
C:\Documents and Settings\007\Cookies\007@youramigo[1].txt
C:\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My
C:\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My
.
((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.
2008-08-16 20:09 . 2008-08-16 20:10 <DIR> d-------- C:\327882R2FWJFW
2008-08-06 20:46 . 2008-08-06 20:46 <DIR> d-------- C:\batt_en.tos
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 06:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-20 06:07 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-03 16:34 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-03 16:34 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-03 16:34 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-01 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-01 04:00 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-07-01 04:00 --------- d-----w C:\Documents and Settings\007\Application Data\SUPERAntiSpyware.com
2008-07-01 03:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-30 04:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 04:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-29 22:01 4,298 ----a-w C:\WINDOWS\system32\tmp.reg
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 06:34 82,432 ----a-w C:\WINDOWS\system32\IEDFix.C.exe
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-29 16:35 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-05-24 01:21 81,920 ----a-w C:\WINDOWS\system32\404Fix.exe
2008-05-19 04:40 82,944 ----a-w C:\WINDOWS\system32\IEDFix.exe
2007-12-27 00:06 1,658 ------w C:\Documents and Settings\007\Application Data\wklnhst.dat
2007-07-31 20:06 622,928 ------w C:\Documents and Settings\Spybot - Search & Destroy\Tools.dll
2007-05-23 20:13 693,848 ------w C:\Documents and Settings\Spybot - Search & Destroy\advcheck.dll
2005-08-14 02:34 12,635 ------w C:\Documents and Settings\Spybot - Search & Destroy\unins000.dat
2005-08-14 02:33 649,378 ------w C:\Documents and Settings\Spybot - Search & Destroy\unins000.exe
2005-05-31 08:04 853,672 ------w C:\Documents and Settings\Spybot - Search & Destroy\SDHelper.dll
2005-05-31 08:04 47,256 ------w C:\Documents and Settings\Spybot - Search & Destroy\blindman.exe
2005-05-31 08:04 417,408 ------w C:\Documents and Settings\Spybot - Search & Destroy\Update.exe
2005-05-31 08:04 4,393,096 ------w C:\Documents and Settings\Spybot - Search & Destroy\SpybotSD.exe
2005-05-31 08:04 28,672 ------w C:\Documents and Settings\Spybot - Search & Destroy\aports.dll
2005-05-31 08:04 22,528 ------w C:\Documents and Settings\Spybot - Search & Destroy\borlndmm.dll
2005-05-31 08:04 15,872 ------w C:\Documents and Settings\Spybot - Search & Destroy\delphimm.dll
2005-05-31 08:04 139,776 ------w C:\Documents and Settings\Spybot - Search & Destroy\ZipDll.dll
2005-05-31 08:04 122,368 ------w C:\Documents and Settings\Spybot - Search & Destroy\UnzDll.dll
2005-05-31 08:04 1,415,824 ------w C:\Documents and Settings\Spybot - Search & Destroy\TeaTimer.exe
2003-08-27 21:19 36,963 ------r C:\Program Files\Common Files\SM1updtr.dll
2008-05-09 21:02 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050920080510\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 11:37 2321600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 16:25 73728]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-29 21:06 53248]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-25 15:59 65536]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 16:51 122880]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-23 14:49 98304]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 16:37 151552]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 14:03 1077301]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-01 18:03 155648]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2005-04-20 20:38 28672]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-01 17:59 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 01:05 122939]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-28 20:08 675840]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 22:40 196608]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-02-22 13:51 24576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18 241664]
"ZoomingHook"="ZoomingHook.exe" [2004-04-30 23:03 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"TPSMain"="TPSMain.exe" [2004-12-28 16:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2004-05-01 14:03 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 16:17 88358 C:\WINDOWS\agrsmmsg.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-05-23 13:39:00 155648]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= "C:\Program Files\Metamail Inc\Metamail Reader\OESHook.dll" [2005-04-26 15:26 45056]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 09:34]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-03 09:34]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 09:34]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 09:34]
.
Contents of the 'Scheduled Tasks' folder
2008-08-16 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
2005-08-13 C:\WINDOWS\Tasks\Registration reminder 3.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 05:00]
.
- - - - ORPHANS REMOVED - - - -
Notify-dimsntfy - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = https://login.yahoo....erify2?&.src=ym
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 20:18:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-16 20:21:01
ComboFix-quarantined-files.txt 2008-08-17 03:20:55
ComboFix2.txt 2008-07-06 02:45:35
Pre-Run: 26,655,928,320 bytes free
Post-Run: 26,884,239,360 bytes free
170 --- E O F --- 2008-08-16 23:42:50
Edited by susan spencer, 17 August 2008 - 04:54 PM.