Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade

[lectrocrew]

I went to work at 10pm last night till 7am so I probably won't stay awake much longer. I'll check back later to see if you've posted anything further or need more information. Thanks a ton for all your help!!!
Mike

[evilfantasy]

That didn't find it.

More thorough scan....

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
  
• Link #2
  
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.[

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

If needed, see this Combofix tutorial with screenshots that will detail the downloading and running of combofix more thoroughly. Still be sure to rename combofix as detailed above.

----------

Next post
Combofix log

[lectrocrew]

Click this link to see a list of security programs that should be disabled and how to disable them.

If yours is not listed and you don't know how to disable it, please ask.

I have Combofix.exe and Windows XP boot disk downloaded to my desktop and ready to run but:
The instructions given in the link to disable AVG don't work for AVG8. It works for AVG 7.5, I've done that before. I cannot find a way to disable antivirus, antispyware or anti rootkit. All others I have disabled {firewall, e-mail scanner, resident sheild, anti spam, search sheild, active surf sheild ect.}
The AVG website is not much help.
http://www.grisoft.com/ww.faq.num-1209#faq_1209

[patio]

Disable the FireFox / AVG addon and see if this helps...
Restart FireFox after doing so.

[lectrocrew]

 I disabled the AVG add-ons but still don't see where to disable the anti virus, spyware, rootkit.
I can terminate processes from the AVG system tools menu, but I'm not sure which process I need to terminate. I tried this route once but the 2nd process I terminated, ended the AVG control panel I was using although it returned after reboot.
 I don't know if terminating processes is even an optional way to disable the program, but since I can't find this control anywhere including advanced settings, will it work for what I'm trying to do?
My terminate process options are:
avgam.exe
avgemc.exe

[lectrocrew]

Sorry
I hit the enter button by mistake. I have more terminate process options. Please give me a moment to type them

[lectrocrew]

Additional options =
avgfws8.exe
avgnsx.exe
avgrsx.exe
avgsystx.exe
avgtray.exe
avgui.exe
avgwdsvc.exe

[evilfantasy]

Just try running Combofix. AVG may not block it from running. If it does block it then we will run it a different way.

Combofix uses scripts that some AV's see as malicious.

[patio]

Sorry for jumpin in EF.
I just finished reading AVG 8.0 installs an addon to Firefox and thought it may be the hangup.

patio.

[evilfantasy]

Any time Patio. Useful advice is always welcome.

[lectrocrew]

OK. Sorry for the delay. Another night at work. When I got home this morning I scanned with NoAdware again. Only 1 threat, AntiVirusGold. I then disabled NoAdware and what parts of AVG that I could, then I ran combofix per instructions I printed from the bleeping computer website.
After it ran I saved the combofix logfile and I will try to post it in another reply, or 2 separate replies {it is large}..
Immediately after running combofix, with no re-boot, I enabled NoAdware and scanned in quickscan mode. It found 5 threats as listed below. I did not allow NoAdware to remove any of the threats yet.
---------------------------------
Noadware v5.0 --------------------------

Reference File = C:\Program Files\NoAdware5.0\noadware4_041808.na

---------------------------



Spyware Name = Kazaa

Location = HKEY_CURRENT_USER\software\kazaa

Type = RegKey

Spyware Name = Kazaa

Location = HKEY_CURRENT_USER\Software\Kazaa\LocalContent

Type = RegKey

Spyware Name = Backdoor.Bifrose

Location = HKEY_CURRENT_USER\Software\Wget

Type = RegKey

Spyware Name = Trojan.PWS.Tanspy

Location = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

Type = RegKey

Spyware Name = AntiVirusGold

Location = C:\Program Files\AVG

Type = Directory



---------------------------------
 Next I started a scan with AVG.  I'll probably post this reply before it finishes it's scan due to time but so far it has scanned 474xxx objects and found 8 suspect files but list 0 as threats thus far. I'll post that log when it finishes.
------------------------
 

[lectrocrew]

My combofix log {part 1}:

ComboFix 08-04-20.2 - Owner 2008-04-21  8:29:46.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1548 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\tmp70.tmp
C:\WINDOWS\system32\tmp71.tmp
C:\WINDOWS\system32\tmp72.tmp

.
(((((((((((((((((((((((((   Files Created from 2008-03-21 to 2008-04-21  )))))))))))))))))))))))))))))))
.

2008-04-20 09:10 . 2008-04-20 09:09   289,144   --a------   C:\WINDOWS\system32\VCCLSID.exe
2008-04-20 09:10 . 2008-04-20 09:09   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2008-04-20 09:10 . 2008-04-20 09:09   86,528   --a------   C:\WINDOWS\system32\VACFix.exe
2008-04-20 09:10 . 2008-04-20 09:09   82,432   --a------   C:\WINDOWS\system32\IEDFix.exe
2008-04-20 09:10 . 2008-04-20 09:09   53,248   --a------   C:\WINDOWS\system32\Process.exe
2008-04-20 09:10 . 2008-04-20 09:09   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
2008-04-20 09:10 . 2008-04-20 09:09   25,600   --a------   C:\WINDOWS\system32\WS2Fix.exe
2008-04-20 09:10 . 2008-04-20 09:10   3,318   --a------   C:\WINDOWS\system32\tmp.reg
2008-04-19 18:40 . 2008-04-19 18:40   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 18:40 . 2008-04-19 18:40   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-19 18:40 . 2008-04-19 18:40   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 15:06 . 2008-04-19 17:09   <DIR>   d--------   C:\Program Files\Trend Micro
2008-04-18 22:36 . 2008-04-18 22:36   <DIR>   dr-h-----   C:\Documents and Settings\Owner\Application Data\SecuROM
2008-04-18 22:36 . 2008-04-18 22:36   107,888   --a------   C:\WINDOWS\system32\CmdLineExt.dll
2008-04-18 22:32 . 2008-04-18 22:32   <DIR>   d--------   C:\WINDOWS\system32\AGEIA
2008-04-18 22:32 . 2008-04-18 22:32   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 22:32 . 2008-04-18 22:32   <DIR>   d--------   C:\Program Files\AGEIA Technologies
2008-04-18 22:32 . 2005-05-26 15:34   2,297,552   --a------   C:\WINDOWS\system32\d3dx9_26.dll
2008-04-18 22:21 . 2008-04-19 01:33   <DIR>   d--------   C:\Program Files\Rail Simulator
2008-04-18 17:58 . 2008-04-20 16:08   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
2008-04-18 17:58 . 2008-04-18 17:58   96,520   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-18 17:58 . 2008-04-18 17:58   75,272   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-18 17:58 . 2008-04-18 17:58   12,424   --a------   C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-04-18 17:58 . 2008-04-18 17:58   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-04-18 17:38 . 2008-04-18 17:38   45,568   --a------   C:\WINDOWS\system32\avgfwdx.dll
2008-04-18 17:38 . 2008-04-18 17:38   22,528   --a------   C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-04-18 13:17 . 2008-04-20 15:16   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avg8
2008-04-17 09:11 . 2008-04-17 21:26   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-04-17 09:11 . 2008-04-17 09:11   12,424   --a------   C:\WINDOWS\system32\drivers\avgrkx86.sys.install_backup
2008-04-17 09:11 . 2008-04-17 09:11   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll.install_backup
2008-04-17 09:10 . 2008-04-17 09:10   <DIR>   d--------   C:\Program Files\AVG
2008-04-17 09:09 . 2008-04-17 20:57   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2008-04-07 20:02 . 2008-04-07 20:02   <DIR>   d--------   C:\Documents and Settings\Owner\Bluetooth Software
2008-04-07 19:56 . 2008-04-07 19:56   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\Logitech
2008-04-07 19:56 . 2008-04-07 19:56   118,784   -r-------   C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe
2008-04-07 19:55 . 2008-04-07 20:01   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Logitech
2008-04-07 19:55 . 2008-04-07 19:55   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Logitech
2008-04-07 19:55 . 2005-10-05 12:00   47,104   --a------   C:\WINDOWS\system32\drivers\vserial.sys
2008-04-07 19:55 . 2005-10-05 12:00   18,167   --a------   C:\WINDOWS\system32\drivers\vsb.sys
2008-04-07 19:54 . 2008-04-07 19:56   <DIR>   d--------   C:\Program Files\Logitech
2008-04-07 19:54 . 2008-04-07 19:54   <DIR>   d--------   C:\Program Files\Common Files\Logitech
2008-04-07 19:51 . 2008-04-07 19:51   <DIR>   d--------   C:\Program Files\WIDCOMM
2008-04-07 16:48 . 2008-04-07 16:48   <DIR>   d--------   C:\Program Files\Safari
2008-04-07 16:45 . 2008-04-07 16:45   <DIR>   d--------   C:\Program Files\iTunes
2008-04-07 16:45 . 2008-04-07 16:45   <DIR>   d--------   C:\Program Files\iPod
2008-04-07 16:44 . 2008-04-07 16:44   <DIR>   d--------   C:\Program Files\QuickTime
2008-04-06 16:31 . 2008-04-07 07:49   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Ulead Systems
2008-04-06 16:29 . 2008-04-06 16:29   <DIR>   d--------   C:\Program Files\Ulead Systems
2008-04-06 15:14 . 2005-11-24 19:51   245,248   --a------   C:\WINDOWS\system32\rt73.sys
2008-04-06 15:14 . 2008-04-06 15:14   20,747   --a------   C:\WINDOWS\system32\drivers\AegisP.sys
2008-04-06 15:14 . 2005-12-06 04:24   7,846   --a------   C:\WINDOWS\system32\rt73.cat
2008-04-06 15:14 . 2008-04-06 15:14   1,361   --a------   C:\WINDOWS\system32\WLAN.INI
2008-04-06 13:14 . 2008-04-06 16:29   <DIR>   d--------   C:\Program Files\Common Files\Ulead Systems
2008-04-06 13:14 . 2008-04-06 16:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-04-04 12:21 . 2006-12-28 13:12   290,816   --a------   C:\WINDOWS\system32\hcwzblast.dll
2008-04-04 12:21 . 2007-03-28 07:16   90,175   --a------   C:\WINDOWS\system32\hcwblast.ocx
2008-04-04 12:21 . 2007-03-28 07:15   65,603   --a------   C:\WINDOWS\system32\hcwIRblast.dll
2008-04-04 12:21 . 2005-07-28 13:33   40,960   --a------   C:\WINDOWS\system32\GButton.ocx
2008-04-04 12:21 . 2004-10-06 14:03   248   --a------   C:\WINDOWS\HCWBlast_sav.ini
2008-04-04 12:21 . 2004-10-06 14:03   248   --a------   C:\WINDOWS\HCWBlast.ini
2008-04-04 12:20 . 2008-04-04 12:20   <DIR>   d--------   C:\WINDOWS\system32\Hauppauge
2008-04-04 12:20 . 2008-04-04 12:20   <DIR>   d--------   C:\Program Files\nanoPEG for WinTV
2008-04-04 12:20 . 2008-04-04 12:20   <DIR>   d--------   C:\Program Files\Common Files\IviSDK
2008-04-04 12:18 . 2008-04-18 18:51   <DIR>   d--------   C:\Program Files\WinTV
2008-04-04 12:18 . 2008-04-06 07:58   <DIR>   d--------   C:\MyVideos
2008-04-04 12:16 . 2004-08-03 23:10   85,376   --a------   C:\WINDOWS\system32\drivers\NABTSFEC.sys
2008-04-04 12:15 . 2007-05-10 14:43   367,744   -ra------   C:\WINDOWS\system32\drivers\hcw18bda.sys
2008-04-03 20:44 . 2008-04-03 20:44   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\vlc
2008-04-03 20:43 . 2008-04-09 12:40   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\dvdcss
2008-04-03 20:41 . 2008-04-03 20:41   <DIR>   d--------   C:\Program Files\VideoLAN
2008-04-02 16:45 . 2008-04-18 18:06   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-04-02 16:45 . 2008-04-02 16:45   1,409   --a------   C:\WINDOWS\QTFont.for
2008-04-02 16:43 . 2008-04-02 16:43   <DIR>   d--------   C:\Program Files\Bonjour
2008-04-02 16:43 . 2008-04-10 13:45   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-04-02 16:42 . 2008-04-18 22:32   <DIR>   d----c---   C:\WINDOWS\system32\DRVSTORE
2008-04-02 16:42 . 2008-04-02 16:42   <DIR>   d--------   C:\Program Files\Apple Software Update
2008-04-02 16:42 . 2008-04-02 16:43   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-02 16:41 . 2008-04-02 16:41   <DIR>   d--------   C:\Program Files\Common Files\Apple
2008-04-02 16:41 . 2008-04-02 16:41   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple
2008-04-01 13:01 . 2008-04-01 13:01   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\CyberLink
2008-04-01 12:54 . 2008-04-01 12:54   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\CyberLink
2008-04-01 12:42 . 2008-04-01 12:43   <DIR>   d--------   C:\Program Files\CyberLink
2008-03-31 21:46 . 2008-03-31 21:55   <DIR>   d--------   C:\WINDOWS\NV35842212.TMP
2008-03-31 21:46 . 2007-12-10 14:24   159,458   --a------   C:\WINDOWS\system32\nvapps.nvb
2008-03-31 21:44 . 2008-03-31 21:44   <DIR>   d--------   C:\NVIDIA
2008-03-31 21:36 . 2008-03-31 21:36   <DIR>   d--------   C:\Program Files\SystemRequirementsLab
2008-03-31 17:03 . 2008-03-31 17:03   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-31 17:01 . 2008-03-31 17:01   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Nero
2008-03-31 13:18 . 2008-03-31 13:18   <DIR>   d--------   C:\Program Files\MSXML 4.0
2008-03-31 12:40 . 2008-03-31 12:40   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2008-03-31 12:40 . 2004-08-12 10:10   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2008-03-31 12:38 . 2008-03-31 12:38   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2008-03-31 12:38 . 2008-03-31 12:39   <DIR>   d--------   C:\WINDOWS\system32\drivers\UMDF
2008-03-31 12:08 . 2008-04-15 07:39   69   --a------   C:\WINDOWS\NeroDigital.ini
2008-03-31 10:59 . 2008-03-31 10:59   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Ahead
2008-03-31 10:54 . 2008-03-31 10:54   <DIR>   d--------   C:\Program Files\Nero
2008-03-31 10:54 . 2008-03-31 17:02   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2008-03-28 23:37 . 2008-03-28 23:37   90,112   --a------   C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37   57,344   --a------   C:\WINDOWS\system32\QuickTime.qts
2008-03-25 10:34 . 2006-12-06 00:19   44   --a------   C:\WINDOWS\system32\lxdcrwrd.ini
2008-03-25 10:33 . 2008-03-25 10:35   <DIR>   d--------   C:\Program Files\Lexmark 1300 Series
2008-03-25 10:33 . 2007-05-17 09:54   323,584   --a------   C:\WINDOWS\system32\LXDChcp.dll
2008-03-25 10:33 . 2007-05-17 10:09   286,720   --a------   C:\WINDOWS\system32\LXDCinst.dll
2008-03-25 10:33 . 2008-03-25 10:34   131,959   --a------   C:\WINDOWS\system32\LexFiles.ulf
2008-03-25 10:32 . 2007-03-28 09:16   344,064   -ra------   C:\WINDOWS\system32\lxdccoin.dll
2008-03-25 10:32 . 2007-03-18 21:45   77,906   -ra------   C:\WINDOWS\system32\lxdccfg.dll
2008-03-25 10:32 . 2007-05-25 05:19   1,827   -ra------   C:\WINDOWS\system32\lxdc.loc
2008-03-24 16:13 . 2008-03-25 10:33   <DIR>   d--------   C:\Program Files\Lexmark Toolbar
2008-03-24 16:03 . 2008-02-22 02:33   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-03-24 04:29 . 2008-03-24 04:29   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Leadertech
2008-03-24 03:02 . 2008-03-24 03:02   <DIR>   d--------   C:\WINDOWS\Sun
2008-03-23 04:38 . 2008-03-23 04:38   <DIR>   d--------   C:\Program Files\Linksys Wireless-G Print Server
2008-03-23 04:38 . 2006-10-18 18:32   37,248   --a------   C:\WINDOWS\system32\lknuhub.sys
2008-03-23 04:38 . 2006-10-18 18:32   11,648   --a------   C:\WINDOWS\system32\lknucmp.sys
2008-03-23 04:38 . 2006-10-18 18:35   1,393   --a------   C:\WINDOWS\system32\lknucmp.inf
2008-03-23 04:38 . 2006-10-18 18:36   1,371   --a------   C:\WINDOWS\system32\lknuhub.inf
2008-03-22 20:00 . 2008-03-22 20:01   16,826   --ah-----   C:\WINDOWS\system32\brdiag.GID
2008-03-21 21:02 . 2008-03-22 14:37   247   --a------   C:\WINDOWS\BRMRCV.INI
2008-03-21 20:53 . 2008-03-21 20:53   <DIR>   d--------   C:\Brother
2008-03-21 18:22 . 2008-03-21 18:22   1,673,180   --a------   C:\Program Files\WRT54GSv7_7.50.5_fw_US_code.bin
2008-03-21 17:52 . 2006-10-18 18:32   37,248   --a------   C:\WINDOWS\system32\drivers\lknuhub.sys
2008-03-21 17:52 . 2006-10-18 18:32   11,136   --a------   C:\WINDOWS\system32\drivers\lknuhst.sys
2008-03-21 17:51 . 2007-02-28 22:58   813   -ra------   C:\setup.iss
2008-03-21 16:56 . 2008-03-23 05:41   <DIR>   d--------   C:\Program Files\Brownie
2008-03-21 16:55 . 2008-03-22 19:58   <DIR>   d--------   C:\Program Files\Brother

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 17:43   ---------   d-----w   C:\Program Files\Lx_cats
2008-04-08 00:02   19,372   ----a-w   C:\WINDOWS\system32\drivers\frmupgr.sys
2008-04-07 23:56   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-04-06 19:14   ---------   d-----w   C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
2008-03-29 10:55   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-24 20:03   ---------   d-----w   C:\Program Files\Java
2008-03-23 05:00   ---------   d-s---w   C:\Documents and Settings\All Users\Application Data\Memeo
2008-03-23 00:13   ---------   d--h--w   C:\Documents and Settings\Owner\Application Data\GTek
2008-03-21 20:55   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-03-21 20:28   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-03-21 00:43   ---------   d-----w   C:\Program Files\Enroute Imaging
2008-03-21 00:36   ---------   d-----w   C:\Program Files\OLYMPUS
2008-03-20 21:58   ---------   d-----w   C:\Program Files\Analog Devices
2008-03-20 21:02   ---------   d-----w   C:\Program Files\Picasa2
2008-03-20 00:28   ---------   d-----w   C:\Program Files\Common Files\MySoftware
2008-03-19 23:32   ---------   d-----w   C:\Program Files\Google
2008-03-19 23:31   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-19 23:29   ---------   d-----w   C:\Program Files\Western Digital Technologies
2008-03-19 22:23   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-03-19 20:47   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\Corel
2008-03-19 20:45   ---------   d-----w   C:\Program Files\Intel
2008-03-19 20:04   ---------   d-----w   C:\Program Files\WexTech
2008-03-19 20:04   ---------   d-----w   C:\Program Files\Common Files\WexTech Shared
2008-03-19 20:04   ---------   d-----w   C:\Program Files\Common Files\LHSPF
2008-03-19 20:01   ---------   d-----w   C:\Program Files\Corel
2008-03-19 20:01   ---------   d-----w   C:\Program Files\Borland
2008-03-19 19:48   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\Sonic
2008-03-19 19:47   ---------   d-----w   C:\Program Files\Common Files\Sonic
2008-03-19 19:46   ---------   d-----w   C:\Program Files\Sonic
2008-03-19 18:32   ---------   d-----w   C:\Program Files\Linksys EasyLink Advisor
2008-03-19 18:18   499,712   ----a-w   C:\WINDOWS\system32\msvcp71.dll
2008-03-19 18:18   348,160   ----a-w   C:\WINDOWS\system32\msvcr71.dll
2008-03-19 17:16   ---------   d-----w   C:\Program Files\Microsoft IntelliType Pro
2008-03-19 17:16   ---------   d-----w   C:\Program Files\Microsoft IntelliPoint
2008-03-19 14:48   ---------   d--ha-w   C:\Documents and Settings\All Users\Application Data\GTek
2008-03-19 13:47   ---------   d-----w   C:\Program Files\Western Digital
2008-03-19 13:47   ---------   d-----w   C:\Program Files\Common Files\Java
2008-03-19 13:47   ---------   d-----w   C:\Program Files\B's Recorder GOLD5
2008-03-19 13:47   ---------   d-----w   C:\Program Files\ArcSoft
2008-03-19 13:47   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-19 09:47   1,845,248   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-03-19 02:55   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-03-01 13:06   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-02-23 02:38   43,872   ----a-w   C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-02-20 06:51   282,624   ----a-w   C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32   45,568   ----a-w   C:\WINDOWS\system32\dnsrslvr.dll
2008-01-29 16:02   107,368   ----a-w   C:\WINDOWS\system32\GEARAspi.dll
.

[lectrocrew]

combofix {part 2}

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-04-18 17:58   2051328   --a------   C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-04-18 17:58 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-04-18 17:58 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-04-07 19:56 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 02:05 122939]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"lxdcmon.exe"="C:\Program Files\Lexmark 1300 Series\lxdcmon.exe" [ ]
"lxdcamon"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 04:19 20480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-09-05 12:19 94208 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-09-05 12:19 94208 C:\WINDOWS\KHALMNPR.Exe]
"Logitech BT Wizard"="LBTWiz.exe" []
"Easy Synchronization"="C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 12:00 53248]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-08-17 23:19:54 622653]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-04-07 19:56:23 196608]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-04-07 19:54:51 671744]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= F:\vulcan_1024x768.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= F:\Nalu_1920x1440.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= F:\Adrianne_1400x1050.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= C:\Documents and Settings\Owner\My Documents\My Pictures\black_cat.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= C:\Documents and Settings\Owner\My Documents\My Pictures\cat13b.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
Source= C:\Documents and Settings\Owner\My Documents\My Pictures\wanimal3t.gif
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll [2005-10-05 12:00 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2006-10-25 19:01 65536 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=C:\WINDOWS\pss\AutoStart IR.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Application Director 9.LNK
backup=C:\WINDOWS\pss\Desktop Application Director 9.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware InterCom.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MySoftware InterCom.lnk
backup=C:\WINDOWS\pss\MySoftware InterCom.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-04-18 17:58 1177368 C:\PROGRA~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-03-19 19:32 1862144 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-02-05 19:52 849280 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a------ 2006-11-21 21:08 813912 C:\Program Files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2007-01-08 22:17 52256 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSDiagnosticM]
--a------ 2007-02-27 16:29 315392 C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-01-08 22:26 68640 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
--------- 2006-06-06 11:47 118784 C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 5 SE\Ulead DVD MovieFactory 5\Quick-Drop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"RichVideo"=2 (0x2)
"NBService"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\lxdccoms.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\app4r.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-04-18 17:58]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-18 17:58]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-18 17:57]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-18 17:57]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-04-18 17:57]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-18 17:58]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-10-25 19:10]
R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe [2007-05-25 05:38]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-04-18 17:38]
R3 hcw18bda;Hauppauge WinTV 418 Driver;C:\WINDOWS\system32\drivers\hcw18bda.sys [2007-05-10 14:43]
R3 lknuhst;Linksys Network USB Host Controller;C:\WINDOWS\system32\DRIVERS\lknuhst.sys [2006-10-18 18:32]
R3 LKNUHUB;Linksys Network USB Root Hub;C:\WINDOWS\system32\DRIVERS\lknuhub.sys [2006-10-18 18:32]
S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe [2007-05-25 05:38]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-04-18 17:38]
S3 HauppaugeTVServer;HauppaugeTVServer;C:\PROGRA~1\WinTV\HCWTVS~1.EXE [2007-02-20 15:11]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ngrpci.sys [2001-08-17 13:12]

*Newly Created Service* - CATCHME
*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 08:31:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-04-21  8:34:03
ComboFix-quarantined-files.txt  2008-04-21 12:33:01

Pre-Run: 18,073,759,744 bytes free
Post-Run: 19,050,729,472 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

384   --- E O F ---   2008-04-09 02:06:51

[evilfantasy]

Did Noadware just start reporting this infection when you installed AVG8?

Could this be a false positive?

Use the Kaspersky Online Scanner

• Click Accept.
  
• Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
  
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
  • 
    
    • Extended[/COLOR]
    • Scan Options:
    • 
      
      • Scan Archives[/COLOR]
        
        • Scan Mail Bases[/COLOR]
      • Click OK & have it scan My Computer
      When the scan is done, in the Scan is complete window (below), any infection is displayed.
      There is no option to clean/disinfect, however, we need to analyze the information on the report.
      
      To obtain the report:
      Click on: Save Report As...
      
      
      
      
      • Next, in the Save as prompt, Save in area, select: Desktop.
        
      • In the File name area, use KScan, or something similar.
        
      • In Save as type: click the drop arrow and select: Text file [*.txt]
        
      • Then, click: Save
      
      
      Please copy and paste the Kaspersky Online Scanner Report in your next post.
      
      ---------------
      
      Next post
      Kaspersky log

[lectrocrew]

Did Noadware just start reporting this infection when you installed AVG8?

Yes, I believe so. My NoAdware autoscans every morning {provided my computer is on, which it usually is}, at 6am while I'm at work, the last scan log for 4-17-2008 completed at 6:05am without the AntiVirusGold in it is here:
=======================
Noadware v5.0 --------------------------

Reference File = C:\Program Files\NoAdware5.0\noadware4_040408.na

---------------------------



Spyware Name = Tracking Cookie

Location = adinterax

Type = Cookie

Spyware Name = Tracking Cookie

Location = adopt.specificclick

Type = Cookie

Spyware Name = Tracking Cookie

Location = specificclick

Type = Cookie

======================

The scan for 4-18-2008 completed at 6:04am is here:
=======================

Noadware v5.0 --------------------------

Reference File = C:\Program Files\NoAdware5.0\noadware4_041608.na

---------------------------



Spyware Name = Tracking Cookie

Location = ad.yieldmanager

Type = Cookie

Spyware Name = Tracking Cookie

Location = bluestreak

Type = Cookie

Spyware Name = Tracking Cookie

Location = media.adrevolver

Type = Cookie

Spyware Name = Tracking Cookie

Location = ssl-hints.netflame

Type = Cookie

Spyware Name = AntiVirusGold

Location = C:\Program Files\AVG

Type = Directory

=======================

Could this be a false positive?

I guess so, although you make that call. I didn't know there was such a thing as a false positive.

Should I do anything about the files found after the combofix ran or continue to the "Kaspersky Online Scanner" now?