My Anti Spyware

[foxs]

I used avg and spybot search and destroy still happening. I looked around the forum used Malwarebytes' Anti-Malware but it still appears.

--------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:10 PM, on 5/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 4017 bytes

[patrik]

Hello foxs, welcome to the Myantispyware forum.

If you have previously downloaded ComboFix, please delete that version now.
Download Combofix from here. Close any open browsers. Double click on combofix.exe and follow the prompts.

Post back with combofix log.

[foxs]

Thank you for replying,
Here is my ComboFix log, Am I Infected? If so what is it coming from?

-------------------------------------------------------
ComboFix 09-05-09.04 - Le 05/10/2009 10:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.394 [GMT -5:00]
Running from: c:\documents and settings\Le\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Le\Application Data\inst.exe
C:\xcrashdump.dat

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it
.
((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 )))))))))))))))))))))))))))))))
.

2009-05-10 04:45 . 2009-05-10 04:45 -------- d-----w c:\program files\Java
2009-05-10 02:10 . 2009-05-10 02:10 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-09 16:26 . 2009-05-09 16:26 -------- d-----w C:\_OTMoveIt
2009-05-09 07:57 . 2009-05-09 07:57 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-05-09 07:57 . 2009-02-16 05:10 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-05-09 07:57 . 2009-05-09 07:57 -------- d-----w c:\windows\system32\ZoneLabs
2009-05-09 07:57 . 2009-05-09 07:57 -------- d-----w c:\program files\Zone Labs
2009-05-09 07:55 . 2009-05-10 15:43 -------- d-----w c:\windows\Internet Logs
2009-05-09 00:33 . 2009-05-09 07:29 -------- d-----w C:\fixwareout
2009-05-09 00:09 . 2009-05-09 00:09 -------- d-----w c:\program files\Trend Micro
2009-05-06 04:24 . 2009-05-06 04:24 -------- d-----w c:\program files\DAEMON Tools Toolbar
2009-05-06 04:23 . 2009-05-06 04:23 -------- d-----w c:\documents and settings\Le\Application Data\DAEMON Tools
2009-05-04 03:13 . 2009-05-04 03:13 61440 ----a-w c:\windows\system32\drivers\gotjhyt.sys
2009-05-01 02:30 . 2009-05-01 02:30 -------- d-----w c:\documents and settings\Le\Application Data\Malwarebytes
2009-05-01 02:30 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-01 02:30 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 02:30 . 2009-05-01 02:30 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 02:30 . 2009-05-06 05:21 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-30 03:46 . 2009-04-30 03:37 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-30 03:37 . 2009-04-30 03:37 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-30 03:35 . 2009-04-30 03:35 -------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-04-30 03:35 . 2009-04-30 03:37 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-30 02:24 . 2009-04-30 02:24 -------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-04-30 02:19 . 2009-04-30 02:26 -------- d-----w c:\documents and settings\Le\Application Data\DAEMON Tools Lite
2009-04-24 22:56 . 2009-04-24 22:56 -------- d-----w c:\documents and settings\Le\Local Settings\Application Data\WMTools Downloaded Files
2009-04-20 02:01 . 2009-05-08 00:26 -------- d--h--w C:\$AVG8.VAULT$
2009-04-20 01:57 . 2009-05-01 14:57 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-20 01:57 . 2009-05-01 14:56 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-20 01:56 . 2009-05-01 14:57 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-20 01:56 . 2009-05-10 13:26 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-20 01:56 . 2009-04-20 01:56 -------- d-----w c:\program files\AVG
2009-04-20 01:05 . 2009-04-20 01:05 -------- d-----w c:\program files\MSXML 6.0
2009-04-20 00:22 . 2009-04-20 00:22 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-15 02:42 . 2009-04-15 02:42 -------- d-----w c:\windows\Quest Ragnarok

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-10 15:38 . 2009-05-10 15:43 1409536 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-05-10 15:29 . 2004-08-03 21:14 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-10 04:45 . 2008-08-04 07:10 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-07 18:24 . 2008-11-12 03:31 -------- d-----w c:\program files\Starcraft
2009-04-30 03:35 . 2007-08-01 16:01 -------- d-----w c:\program files\Lavasoft
2009-04-30 02:19 . 2007-07-16 21:14 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-24 23:08 . 2008-04-10 23:52 -------- d-----w c:\program files\XP Codec Pack
2009-04-22 06:22 . 2007-12-21 05:19 -------- d-----w c:\program files\Winamp
2009-04-20 01:37 . 2008-09-13 04:24 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-14 23:49 . 2007-07-04 01:21 65536 ----a-w c:\windows\IFinst27.exe
2009-03-14 19:52 . 2009-03-14 19:52 -------- d-----w c:\program files\XBCD
2009-03-14 19:38 . 2009-03-14 19:38 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2009-03-14 19:38 . 2009-03-14 19:38 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2009-03-14 19:05 . 2009-03-14 18:50 -------- d-----w c:\program files\Microsoft Xbox 360 Accessories
2009-03-06 14:44 . 2004-08-03 22:56 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:30 . 2004-08-03 22:56 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:30 . 2004-08-03 22:56 81920 ----a-w c:\windows\system32\ieencode.dll
2008-08-12 15:23 . 2008-08-12 14:53 413638 ----a-w c:\program files\setuplog.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-30 516440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"sureshotpopupkiller"="c:\program files\Stop-the-Pop-Up\stopthepop.exe" [2003-05-20 2240512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-10 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 14:57 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux1"= ctwdm32.dll
"wave4"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/29/2009 10:37 PM 64160]
R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/19/2009 8:56 PM 325896]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/19/2009 8:57 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/19/2009 8:56 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/19/2009 8:56 PM 298776]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 953168]
S1 c3b666c1;c3b666c1;c:\windows\system32\drivers\c3b666c1.sys --> c:\windows\system32\drivers\c3b666c1.sys [?]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [5/24/2002 11:52 AM 10368]
.
Contents of the 'Scheduled Tasks' folder

2009-05-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 03:37]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
FF - ProfilePath - c:\documents and settings\Le\Application Data\Mozilla\Firefox\Profiles\0ekbuvoj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - http://www.msn.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-10 10:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-05-10 10:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-10 15:59

Pre-Run: 4,891,136,000 bytes free
Post-Run: 4,966,068,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
170 --- E O F --- 2009-04-19 00:54

[patrik]

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected

Looks like, Combofix found and disinfected the ndis.sys file (system file).

Open notepad, copy/paste the text in the code box below into notepad:

Code: Select all

Driver::
c3b666c1

File::
c:\windows\system32\drivers\c3b666c1.sys

Name the Notepad file CFScript and Save it to your desktop. Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

When finished, it will produce a report for you.

How is your computer working now ? Post a combofix log with your answer.

[foxs]

It still appears.
I'll try some of the software you recommended in the other threads to protect myself.
thanks again!

Here is my log

-----------------------------------------------------------------------
ComboFix 09-05-11.01 - Le 05/11/2009 17:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.365 [GMT -5:00]
Running from: c:\documents and settings\Le\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Le\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

FILE ::
c:\windows\system32\drivers\c3b666c1.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_c3b666c1


((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 )))))))))))))))))))))))))))))))
.

2009-05-10 04:45 . 2009-05-10 04:45 -------- d-----w c:\program files\Java
2009-05-10 02:10 . 2009-05-10 02:10 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-09 16:26 . 2009-05-09 16:26 -------- d-----w C:\_OTMoveIt
2009-05-09 07:57 . 2009-05-09 07:57 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-05-09 07:57 . 2009-05-09 07:57 -------- d-----w c:\program files\Zone Labs
2009-05-09 07:55 . 2009-05-11 06:35 -------- d-----w c:\windows\Internet Logs
2009-05-09 00:33 . 2009-05-09 07:29 -------- d-----w C:\fixwareout
2009-05-09 00:09 . 2009-05-09 00:09 -------- d-----w c:\program files\Trend Micro
2009-05-06 04:24 . 2009-05-06 04:24 -------- d-----w c:\program files\DAEMON Tools Toolbar
2009-05-06 04:23 . 2009-05-06 04:23 -------- d-----w c:\documents and settings\Le\Application Data\DAEMON Tools
2009-05-04 03:13 . 2009-05-04 03:13 61440 ----a-w c:\windows\system32\drivers\gotjhyt.sys
2009-05-01 02:30 . 2009-05-01 02:30 -------- d-----w c:\documents and settings\Le\Application Data\Malwarebytes
2009-05-01 02:30 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-01 02:30 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 02:30 . 2009-05-01 02:30 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 02:30 . 2009-05-06 05:21 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-30 03:46 . 2009-04-30 03:37 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-30 03:37 . 2009-04-30 03:37 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-30 03:35 . 2009-04-30 03:35 -------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-04-30 03:35 . 2009-04-30 03:37 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-30 02:24 . 2009-04-30 02:24 -------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-04-30 02:19 . 2009-04-30 02:26 -------- d-----w c:\documents and settings\Le\Application Data\DAEMON Tools Lite
2009-04-24 22:56 . 2009-04-24 22:56 -------- d-----w c:\documents and settings\Le\Local Settings\Application Data\WMTools Downloaded Files
2009-04-20 02:01 . 2009-05-11 01:11 -------- d--h--w C:\$AVG8.VAULT$
2009-04-20 01:57 . 2009-05-01 14:57 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-20 01:57 . 2009-05-01 14:56 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-20 01:56 . 2009-05-01 14:57 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-20 01:56 . 2009-05-11 14:39 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-20 01:56 . 2009-04-20 01:56 -------- d-----w c:\program files\AVG
2009-04-20 01:05 . 2009-04-20 01:05 -------- d-----w c:\program files\MSXML 6.0
2009-04-20 00:22 . 2009-04-20 00:22 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-15 02:42 . 2009-04-15 02:42 -------- d-----w c:\windows\Quest Ragnarok

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-10 15:29 . 2004-08-03 21:14 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-10 04:45 . 2008-08-04 07:10 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-07 18:24 . 2008-11-12 03:31 -------- d-----w c:\program files\Starcraft
2009-04-30 03:35 . 2007-08-01 16:01 -------- d-----w c:\program files\Lavasoft
2009-04-30 02:19 . 2007-07-16 21:14 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-24 23:08 . 2008-04-10 23:52 -------- d-----w c:\program files\XP Codec Pack
2009-04-22 06:22 . 2007-12-21 05:19 -------- d-----w c:\program files\Winamp
2009-04-20 01:37 . 2008-09-13 04:24 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-14 23:49 . 2007-07-04 01:21 65536 ----a-w c:\windows\IFinst27.exe
2009-03-14 19:52 . 2009-03-14 19:52 -------- d-----w c:\program files\XBCD
2009-03-14 19:38 . 2009-03-14 19:38 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2009-03-14 19:38 . 2009-03-14 19:38 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2009-03-14 19:05 . 2009-03-14 18:50 -------- d-----w c:\program files\Microsoft Xbox 360 Accessories
2009-03-06 14:44 . 2004-08-03 22:56 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:30 . 2004-08-03 22:56 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:30 . 2004-08-03 22:56 81920 ----a-w c:\windows\system32\ieencode.dll
2008-08-12 15:23 . 2008-08-12 14:53 413638 ----a-w c:\program files\setuplog.txt
.

((((((((((((((((((((((((((((( SnapShot@2009-05-10_15.45.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-11 22:22 . 2009-05-11 22:22 16384 c:\windows\Temp\Perflib_Perfdata_5dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-30 516440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]
"sureshotpopupkiller"="c:\program files\Stop-the-Pop-Up\stopthepop.exe" [2003-05-20 2240512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-10 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 14:57 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux1"= ctwdm32.dll
"wave4"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/29/2009 10:37 PM 64160]
R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/19/2009 8:56 PM 325896]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/19/2009 8:57 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/19/2009 8:56 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/19/2009 8:56 PM 298776]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 953168]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [5/24/2002 11:52 AM 10368]
.
Contents of the 'Scheduled Tasks' folder

2009-05-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 03:37]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
FF - ProfilePath - c:\documents and settings\Le\Application Data\Mozilla\Firefox\Profiles\0ekbuvoj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - http://www.msn.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-11 17:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2009-05-11 17:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-11 22:33
ComboFix2.txt 2009-05-10 15:59

Pre-Run: 1,630,076,928 bytes free
Post-Run: 1,664,532,480 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
159 --- E O F --- 2009-04-19 00:54

[patrik]

Combofix log looks ok.

Firefox is still redirecting to suspicious sites?
No problems with Internet Explorer ?

[foxs]

Thank you so much patrik, they've stopped completely!
I appreciate your time and energy.

i used some programs you recommended and they work wonders.
http://myantispyware.com/forum/purchased-a-new-computer-what-security-software-you-suggest-t419.html

[patrik]

Glad to help you

Uninstall Combofix.

Click Start > Run - type ComboFix /u

Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.

Safe surfing.