Expert: Brian Benosky - 3/30/2008

Question
QUESTION: Hello,
I think I have a trojan. Running AVG and keep getting a threat message:  C:\windows\system32\cmsetAC.dll   Trojan Delf.EGO
AVG tries to fix but when I reboot it comes right back and I haven't been able to trace it to a specific program. Below is the Hijackthis log.
Thanks for help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:31 AM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\jeremy\Desktop\BHO Demon\BHODemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll (file missing)
O2 - BHO: (no name) - {294BEBEC-F244-4880-9397-E43484D17043} - C:\WINDOWS\system32\cmsetAC.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll (file missing)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msiconf.exe] msiconf.exe
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5\StartupGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5897 bytes


ANSWER: Hi Allen

I will try to help you with this trojan.  Please download ComboFix and save to your desktop:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

     Note: It is important that it is saved directly to your desktop
     Close any open browsers.
     Double click on combofix.exe and follow the prompts.
     When it's finished it will produce a log.
     Post the contents of the C:\ComboFix.txt into your next reply.
     Note: Do not mouseclick combofix's window while it's running.
     That may cause the program to freeze/hang.

After running ComboFix, please download Dr.Web's CureIt from here:

ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

Run the utility and press the "Start" button in the opened window. Confirm the launch by pressing the "OK" button and wait for the scanning results of the main memory and startup files. Select the Complete scan  and press the "Start scanning" button on the scanner right.

When finished, please post me the ComboFix log located at C:\ComboFix.txt and also a fresh HJT scan log.

Brian

---------- FOLLOW-UP ----------

QUESTION: Thanks for the help. I think the trojans were removed following those steps. Here's the combofix and Hijackthis logs  to hopefully confirm there gone. Thx.

ComboFix 08-03-30.2 - jeremy 2008-03-30  9:50:17.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.66 [GMT -4:00]
Running from: C:\Documents and Settings\jeremy\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\ErrorProtector Free
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\Abbr
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\ActivationCode
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\HOURS
C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\jeremy\Application Data\ErrorProtector Free
C:\Documents and Settings\jeremy\Application Data\ErrorProtector Free\Logs\update.log
C:\Documents and Settings\jeremy\Application Data\SpamBlockerUtility_Icons
C:\Documents and Settings\jeremy\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico
C:\Documents and Settings\jeremy\ResErrors.log
C:\Program Files\Temporary
C:\Redemption.ECF
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmsetac.dll
C:\WINDOWS\system32\drivers\xirhfpwe.dat
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\voiceip.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GYBALWWB
-------\Service_gybalwwb


(((((((((((((((((((((((((   Files Created from 2008-02-28 to 2008-03-30  )))))))))))))))))))))))))))))))
.

2008-03-30 07:19 . 2008-03-30 07:19   <DIR>   d--------   C:\Program Files\Lavasoft
2008-03-30 07:19 . 2008-03-30 07:20   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-30 07:18 . 2008-03-30 07:18   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-03-29 15:47 . 2008-03-29 15:47   <DIR>   d--------   C:\Documents and Settings\jeremy\Application Data\Talkback
2008-03-29 15:47 . 2008-03-29 15:47   0   --a------   C:\WINDOWS\nsreg.dat
2008-03-29 15:25 . 2008-03-29 15:25   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
2008-03-29 15:25 . 2008-03-29 15:37   <DIR>   d--------   C:\Documents and Settings\jeremy\Application Data\AVGTOOLBAR
2008-03-29 15:25 . 2008-03-29 15:25   96,520   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-03-29 15:25 . 2008-03-29 15:25   75,272   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-03-29 15:25 . 2008-03-29 15:25   12,424   --a------   C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-03-29 15:25 . 2008-03-29 15:25   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-03-29 15:23 . 2008-03-29 15:23   <DIR>   d--------   C:\Program Files\AVG
2008-03-29 15:23 . 2008-03-29 15:23   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg8
2008-03-29 15:23 . 2008-03-29 15:23   45,568   --a------   C:\WINDOWS\system32\avgfwdx.dll
2008-03-29 15:23 . 2008-03-29 15:23   22,528   --a------   C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-03-29 09:57 . 2008-03-29 09:57   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2008-03-29 06:34 . 2008-03-29 14:51   121   --a------   C:\WINDOWS\bdagent.INI
2008-03-29 06:14 . 2008-03-29 15:16   <DIR>   d--------   C:\Program Files\BitDefender
2008-03-29 06:10 . 2008-03-29 06:14   <DIR>   d--------   C:\Program Files\Common Files\BitDefender
2008-03-28 08:12 . 2008-03-28 08:12   <DIR>   d--------   C:\Documents and Settings\jeremy\Application Data\Uniblue
2008-03-28 06:53 . 2008-03-28 06:53   <DIR>   d--------   C:\Program Files\Trend Micro
2008-03-27 07:36 . 2008-03-27 07:36   <DIR>   d--------   C:\Program Files\stc
2008-03-27 07:36 . 2008-03-27 07:36   <DIR>   d--------   C:\Program Files\180search assistant
2008-03-27 07:36 . 2008-03-27 07:36   20,736   --a------   C:\WINDOWS\system32\SIPSPI32.dll
2008-03-26 11:25 . 2008-03-27 08:56   886   --a------   C:\WINDOWS\wininit.ini
2008-03-26 10:28 . 2008-03-27 06:25   <DIR>   d--------   C:\Program Files\Spybot - Search & Destroy
2008-03-26 10:28 . 2008-03-27 06:25   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 06:16 . 2008-03-27 06:25   <DIR>   d--------   C:\Program Files\a-squared Free
2008-03-26 04:55 . 2008-03-26 04:55   <DIR>   d--------   C:\Program Files\iolo
2008-03-26 04:55 . 2004-09-08 08:36   567,808   --a------   C:\WINDOWS\system32\Incinerator.dll
2008-03-26 04:55 . 2004-08-27 01:20   57,240   --a------   C:\WINDOWS\system32\iolobtdfg.exe
2008-03-26 04:55 . 2004-09-02 16:39   28,236   --a------   C:\WINDOWS\system32\drivers\SGuard.sys
2008-03-26 04:55 . 2004-08-28 15:18   25,264   --a------   C:\WINDOWS\system32\smrgdf.exe
2008-03-23 23:31 . 2001-08-17 22:36   71,680   --a------   C:\WINDOWS\system32\fnfilter.dll
2008-03-23 23:31 . 2001-08-17 22:36   71,680   --a--c---   C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-03-23 23:31 . 2001-08-17 22:36   37,376   --a------   C:\WINDOWS\system32\kousd.dll
2008-03-23 23:31 . 2001-08-17 22:36   37,376   --a--c---   C:\WINDOWS\system32\dllcache\kousd.dll
2008-03-23 23:31 . 2001-08-17 13:53   6,784   --a------   C:\WINDOWS\system32\drivers\serscan.sys
2008-03-23 23:31 . 2001-08-17 13:53   6,784   --a--c---   C:\WINDOWS\system32\dllcache\serscan.sys
2008-03-23 19:09 . 2008-03-26 05:44   <DIR>   d--------   C:\Program Files\nvcoi
2008-03-23 19:04 . 2008-03-27 06:25   <DIR>   d--------   C:\Program Files\CPV
2008-03-23 01:49 . 2008-03-27 07:14   <DIR>   d--------   C:\WINDOWS\system32\NtmsData
2008-03-22 17:19 . 2008-03-26 06:02   <DIR>   d-a------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-22 10:47 . 2008-03-22 10:47   32,000   --a------   C:\WINDOWS\msa64chk.dll
2008-03-22 10:47 . 2008-03-22 10:47   32,000   --a------   C:\WINDOWS\didduid.ini
2008-03-22 10:47 . 2008-03-22 10:47   30,720   --a------   C:\WINDOWS\msapasrc.dll
2008-03-22 10:47 . 2008-03-22 10:47   12,800   --a------   C:\WINDOWS\system32\MSNSA32.dll
2008-03-22 10:46 . 2008-03-22 10:46   <DIR>   d--------   C:\Program Files\Sysmnt
2008-03-22 10:45 . 2008-03-27 06:25   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-19 17:55 . 2008-03-24 00:16   <DIR>   d--------   C:\Program Files\SnapStickers

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 15:22   ---------   d-----w   C:\Program Files\Google
2008-03-27 10:25   ---------   d-----w   C:\Program Files\eBay
2008-03-26 08:56   ---------   d-----w   C:\Program Files\Norton Security Scan
2008-03-24 03:24   ---------   d-----w   C:\Program Files\Yahoo!
2008-03-14 20:31   ---------   d-----w   C:\Documents and Settings\jeremy\Application Data\WholeSecurity
2008-01-31 00:19   ---------   d-----w   C:\Documents and Settings\jeremy\Application Data\Lavasoft
2006-11-04 15:18   774,144   -c--a-w   C:\Program Files\RngInterstitial.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-03-29 15:25   2051328   --a------   C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-03-29 15:25 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-03-29 15:25 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System Mechanic Startup Guard"="C:\Program Files\iolo\System Mechanic 5\StartupGuard.exe" [2004-09-08 08:37 692736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 20:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-03-29 15:24 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^jeremy^Start Menu^Programs^Startup^Bat - Auto Update.lnk]
path=C:\Documents and Settings\jeremy\Start Menu\Programs\Startup\Bat - Auto Update.lnk
backup=C:\WINDOWS\pss\Bat - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-06 16:41 98304 C:\Program Files\QuickTime\qttask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-03-29 15:25]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-03-29 15:25]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-03-29 15:24]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-03-29 15:24]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-03-29 15:24]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-03-29 15:25]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-03-29 15:23]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-03-29 15:23]
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 14:55]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2004-09-22 12:16]
S3 SGUARD;SGUARD;C:\WINDOWS\system32\drivers\SGuard.sys [2004-09-02 16:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-23 22:59:08 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 10:00:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-03-30 10:05:20 - machine was rebooted
ComboFix-quarantined-files.txt  2008-03-30 14:05:11
Pre-Run: 32,676,659,200 bytes free
Post-Run: 32,777,080,832 bytes free
.
2008-03-29 09:52:37   --- E O F ---  



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:22 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iolo\System Mechanic 5\StartupGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (disabled by BHODemon)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll (disabled by BHODemon)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon)
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll (file missing)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5\StartupGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5374 bytes


Answer
Hi Allen

Yes, the log file looks much better now.  We just need to clean up.  Run HJT (scan only) and place a check mark next to the following items, then click the Fix Checked button:

O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll (file missing)
  O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)


Close HJT and reboot.  Next, click Start->Run, then type the following in the Run box and hit enter:

combofix /u

Note the space between the x and the /.

That's it then.  If you have any further problems, just let me know.  Good luck.

Brian