Combofix log below. One other thing is consistently strange although not sure it means anything -- every time I get onto IE (8) I have to tell it 3 times that I understand it's a secure site and that what I post won't be seen on the web even though I have the "don't tell me about this again" box checked.
Presume it's ok to let ad-aware update now?
ComboFix 12-01-29.02 - Dell User 01/29/2012 15:24:31.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2845 [GMT -5:00]
Running from: c:\documents and settings\Dell User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dell User\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
FILE ::
"c:\documents and settings\DELL USER\RECENT\DOWNLOADS (4).LNK"
"c:\documents and settings\DELL USER\RECENT\DOWNLOADS(4).LNK"
"c:\windows\system32\drivers\22db.sys"
"c:\windows\system32\drivers\xcpip.sys"
"c:\windows\system32\drivers\xpsec.sys"
"c:\windows\system32\drivers\ykjissq.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\DELL USER\RECENT\DOWNLOADS (4).LNK
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_22DB.SYS
-------\Service_22db.sys
-------\Service_uhiw
-------\Service_xcpip
-------\Service_xpsec
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-29 )))))))))))))))))))))))))))))))
.
.
2012-01-26 23:32 . 2012-01-26 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2012-01-26 23:32 . 2012-01-26 23:32 -------- d-----w- c:\program files\Autorun Eater
2012-01-26 03:23 . 2012-01-26 03:23 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-01-26 03:22 . 2012-01-26 03:22 -------- d-----w- c:\program files\AVG
2012-01-26 03:17 . 2012-01-27 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-01-26 00:30 . 2012-01-26 00:30 -------- d-----w- c:\program files\ESET
2012-01-19 21:10 . 2012-01-24 00:56 -------- d-----w- c:\documents and settings\Dell User\Application Data\ElevatedDiagnostics
2012-01-04 04:14 . 2012-01-04 04:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-27 13:18 . 2008-04-13 23:00 26112 ----a-w- c:\windows\system32\userinit.exe
2011-11-25 21:57 . 2008-04-13 23:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-04-13 23:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-04-13 23:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-04-13 23:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-04-13 23:00 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-10 10:54 . 2011-02-08 15:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2011-02-08 15:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2008-04-13 23:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-13 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-13 23:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-13 23:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2008-04-13 23:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2008-04-13 23:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2008-04-13 23:00 1288704 ----a-w- c:\windows\system32\ole32.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-27_20.11.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-29 20:37 . 2012-01-29 20:37 16384 c:\windows\temp\Perflib_Perfdata_6e0.dat
+ 2010-08-08 01:16 . 2012-01-28 03:25 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-08-08 01:16 . 2012-01-26 00:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-08 01:16 . 2012-01-28 03:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-08-08 01:16 . 2012-01-26 00:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-01-28 03:25 . 2012-01-28 03:25 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-08-08 01:16 . 2012-01-26 00:15 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wisdom-soft ScreenHunter 5.1 Free"="0" [X]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-06-23 4355464]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-23 960568]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-06-23 377248]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2010-05-06 516216]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\Dell User\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-5-10 4456448]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-11-13 05:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Dell User\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/25/2011 9:23 PM 64512]
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [8/7/2010 8:46 PM 902592]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [7/22/2011 10:10 PM 21992]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/18/2011 2:25 PM 2152152]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [5/10/2010 11:33 AM 110592]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [5/10/2010 11:32 AM 1858048]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [5/10/2010 11:32 AM 482304]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/18/2011 2:25 PM 15232]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/13/2008 6:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-08-18 02:25]
.
2012-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-01-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1275210071-1177238915-1003Core.job
- c:\documents and settings\Dell User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-05 18:13]
.
2012-01-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1275210071-1177238915-1003UA.job
- c:\documents and settings\Dell User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-05 18:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://autos.aol.com/article/the-time-to-buy-snow-tires-was-yesterday/?icid=maing-grid7%7Cmain5%7Cdl8%7Csec1_lnk3%7C115222
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
Trusted Zone: richdadworld.com\www
Trusted Zone: toptenreviews.com\internet-browser-review
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2012-01-29 15:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3972)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Autorun Eater\billy.exe
.
**************************************************************************
.
Completion time: 2012-01-29 15:48:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-29 20:48
ComboFix2.txt 2012-01-27 20:13
.
Pre-Run: 1,378,168,832 bytes free
Post-Run: 1,448,972,288 bytes free
.
- - End Of File - - 731453D4BD28BFFF5A0B78939877DF8E
Edited by ToniB, 29 January 2012 - 03:07 PM.