thanks for sticking with e through this mess
loggen in as Administrator in Safe Mode
ran AVG removal again
reran CF
CF error message: "ComboFix has detected AVG AntiVirus Free Edition 2012"
here is the log:
ComboFix 12-09-01.01 - Administrator 09/02/2012 23:13:04.11.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.725 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *Enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-08-03 to 2012-09-03 )))))))))))))))))))))))))))))))
.
.
2012-09-03 03:20 . 2012-09-03 03:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\iolo
2012-09-03 02:55 . 2012-09-03 02:55 -------- d-----w- c:\documents and settings\NetworkService\Application Data\iolo
2012-08-26 21:44 . 2012-08-26 21:44 -------- d-----w- C:\FRST
2012-08-19 22:50 . 2012-09-03 03:08 -------- d-----w- c:\windows\system32\CatRoot2
2012-08-12 22:30 . 2012-08-02 15:21 511328 ----a-w- c:\program files\Common Files\Microsoft Shared\CAPICOM\CAPICOM.DLL
2012-08-12 22:30 . 2012-08-02 15:27 2096360 ----a-w- c:\windows\system32\Incinerator32.dll
2012-08-12 22:30 . 2012-08-02 16:45 40504 ----a-w- c:\windows\system32\iolobtdfg.exe
2012-08-12 22:30 . 2012-08-02 16:45 22456 ----a-w- c:\windows\system32\smrgdf.exe
2012-08-12 22:30 . 2012-08-02 15:21 68464 ----a-w- c:\windows\system32\drivers\PDFsFilter.sys
2012-08-12 22:30 . 2012-08-02 15:21 56200 ----a-w- c:\windows\system32\offreg.dll
2012-08-12 22:26 . 2012-08-13 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2012-08-12 22:26 . 2012-08-12 22:36 -------- d-----w- c:\documents and settings\Patrick\Application Data\iolo
2012-08-12 22:26 . 2012-08-12 22:26 74703 ----a-w- c:\windows\system32\mfc45.dat
2012-08-12 22:17 . 2012-08-12 22:17 -------- dc----w- c:\windows\ie8
2012-08-10 23:43 . 2012-08-11 01:18 -------- d-----w- C:\PCHelpForum
2012-08-10 22:54 . 2012-08-11 21:50 -------- d-----w- c:\documents and settings\Patrick\Application Data\PCToolsFirewallPlus
2012-08-10 22:52 . 2011-03-02 16:40 160576 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-08-10 22:52 . 2010-03-29 15:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-08-10 22:52 . 2011-01-17 13:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-08-10 22:52 . 2012-08-10 22:52 -------- d-----w- c:\program files\Common Files\PC Tools
2012-08-10 22:52 . 2011-01-12 14:36 89472 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2012-08-10 22:52 . 2010-07-08 12:49 57536 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2012-08-10 22:52 . 2010-02-05 12:26 32808 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2012-08-10 22:51 . 2011-01-17 12:11 125248 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2012-08-10 22:51 . 2012-08-13 04:24 -------- d-----w- c:\program files\PC Tools Firewall Plus
2012-08-10 22:47 . 2012-08-10 22:47 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-08-10 21:10 . 2012-08-10 22:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\PCToolsFirewallPlus
2012-08-10 17:49 . 2012-08-10 17:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-08-10 17:30 . 2012-08-10 17:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2012-08-10 14:50 . 2012-08-10 14:50 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-08-10 14:50 . 2012-08-10 14:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-08-05 15:49 . 2012-08-05 15:49 -------- d-----w- c:\program files\DVD Decrypter
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-10 21:43 . 2004-08-11 23:00 14336 ----a-w- c:\windows\system32\svchost.exe
2012-08-05 15:39 . 2012-04-17 00:04 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-05 15:39 . 2011-05-14 20:03 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:19 . 2004-08-11 23:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-08-17 18:02 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-11 23:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-07-29 13:39 . 2012-02-12 23:34 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
1997-06-23 17:06 287504 --sha-w- c:\windows\system32\Msxbse35.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-15 20553]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-26 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2011-04-07 2672600]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Autodesk"="c:\documents and settings\Patrick\Local Settings\Application Data\Collectorz.com\Autodesk\kzaayba.dll" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-05 113024]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-04-03 22:43 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-phishing Domain Advisor]
2011-07-29 20:45 217256 ----a-w- c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDFab Passkey]
2012-06-28 18:51 1389088 ----a-w- c:\program files\DVDFab Passkey\DVDFabPasskey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 17:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1172251831\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/11/2010 7:03 PM 116608]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [4/7/2012 6:27 PM 821592]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [8/12/2012 6:30 PM 1027792]
R3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [7/5/2012 1:44 PM 54144]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys --> c:\windows\system32\DRIVERS\avgidshx.sys [?]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [8/10/2012 6:52 PM 251560]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 3:11 PM 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 3:11 PM 67664]
S2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [7/14/2006 3:01 AM 13824]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [8/10/2012 6:52 PM 160576]
S2 PDFsFilter;PDFsFilter;c:\windows\system32\drivers\PDFsFilter.sys [8/12/2012 6:30 PM 68464]
S2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [7/14/2006 3:02 AM 13696]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys --> c:\windows\system32\DRIVERS\avgidsshimx.sys [?]
S3 CFcatchme;CFcatchme;\??\c:\combofix\CFcatchme.sys --> c:\combofix\CFcatchme.sys [?]
S3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [4/7/2012 6:27 PM 246816]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/5/2012 5:37 AM 113120]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [8/15/2010 8:55 AM 47360]
S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [8/10/2012 6:52 PM 89472]
S3 pctNDIS;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [8/10/2012 6:52 PM 57536]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [8/10/2012 6:51 PM 125248]
S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [4/7/2012 6:27 PM 30368]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 3:11 PM 12872]
S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [4/7/2012 6:27 PM 16208]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/31/2008 8:57 PM 715248]
.
.
------- Supplementary Scan -------
.
uStart Page =
www.msn.comuInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tfpwaynx.default\
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2012-09-02 23:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2796421550-788906634-1267632633-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5
977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,92,62,f9,83,a0,c5,46,a8,5a,a9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839
E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,92,62,f9,83,a0,c5,46,a8,5a,a9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(304)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\l3codeca.acm
.
- - - - - - - > 'explorer.exe'(1244)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
.
Completion time: 2012-09-03 00:02:20
ComboFix-quarantined-files.txt 2012-09-03 04:01
ComboFix2.txt 2012-09-03 02:31
ComboFix3.txt 2012-08-11 23:46
ComboFix4.txt 2012-08-11 01:17
ComboFix5.txt 2012-09-03 03:04
.
Pre-Run: 121,009,709,056 bytes free
Post-Run: 120,988,876,800 bytes free
.
- - End Of File - - 1D82410EDBB2FBBC05A11D08574283C1