thanks for your help with my problem. while running the combofix program, my anti-virus (kaspersky) detected the following: Trojan.Win32.Inject.mf. of course, i've run previous scans, but this was never detected.
the two logs are posted below.
ComboFix 07-12-07.3 - customer 2007-12-07 7:04:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.228 [GMT -5:00]Running from: C:\Documents and Settings\customer\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-11-07 to 2007-12-07 )))))))))))))))))))))))))))))))
.
2007-12-06 15:51 . 2007-12-06 15:51 <DIR> d-------- C:\Program Files\NETGEAR
2007-12-06 15:51 . 2004-07-12 21:02 843,776 -ra------ C:\WINDOWS\system32\AegisE5.dll
2007-12-06 15:51 . 2004-04-18 16:43 651,264 --a------ C:\WINDOWS\system32\libeay32.dll
2007-12-06 15:51 . 2004-08-04 18:11 397,152 --a------ C:\WINDOWS\system32\drivers\wg51und5.sys
2007-12-06 15:51 . 2004-04-18 16:43 147,456 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-12-06 15:51 . 2004-07-12 21:02 110,592 -ra------ C:\WINDOWS\system32\AegisI5.exe
2007-12-06 15:51 . 2003-07-24 12:10 17,149 --a------ C:\WINDOWS\system32\DNINDIS5.sys
2007-12-06 15:51 . 2007-12-06 15:51 15,781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys
2007-12-06 07:45 . 2002-04-12 10:06 73,728 --a------ C:\WINDOWS\system32\AW32n50.dll
2007-12-06 07:45 . 2002-04-11 17:43 16,194 --a------ C:\WINDOWS\system32\AWINDIS5.SYS
2007-12-05 22:02 . 2007-12-05 22:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-05 22:02 . 2007-12-05 22:02 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-04 12:59 . 2007-12-04 12:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-02 10:12 . 2007-12-02 10:12 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-02 10:12 . 2007-12-02 10:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-02 10:12 . 2007-12-02 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-02 07:30 . 2007-12-02 07:30 <DIR> d-------- C:\Program Files\ltmoh
2007-12-02 07:29 . 2007-12-02 07:29 <DIR> d-------- C:\WINDOWS\Options
2007-11-29 20:38 . 2007-11-29 20:38 <DIR> d-------- C:\Documents and Settings\Tash\Application Data\Apple Computer
2007-11-25 13:31 . 2007-11-25 13:31 <DIR> d-------- C:\Documents and Settings\Tash\Application Data\vlc
2007-11-25 13:08 . 2007-11-25 13:08 <DIR> d-------- C:\Documents and Settings\Tash\Application Data\Talkback
2007-11-25 12:54 . 2007-02-01 03:18 <DIR> d-------- C:\Documents and Settings\Tash\WINDOWS
2007-11-23 10:29 . 2007-11-23 10:29 <DIR> d-------- C:\Documents and Settings\Rachel\Application Data\IBM
2007-11-18 18:19 . 2007-11-18 18:19 <DIR> d-------- C:\Documents and Settings\customer\Application Data\Apple Computer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 12:14 24,075,552 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-07 12:13 1,578,272 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-07 12:00 --------- d-----w C:\Program Files\Kaspersky Lab
2007-12-07 03:59 325,460 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-07 03:59 151,856 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-06 20:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-06 02:56 --------- d-----w C:\Program Files\BearShare
2007-12-06 02:09 --------- d-----w C:\Program Files\Java
2007-12-04 17:57 --------- d-----w C:\Program Files\DivX
2007-12-04 15:52 --------- d-----w C:\Documents and Settings\customer\Application Data\MSN6
2007-12-02 22:56 --------- d-----w C:\Program Files\PC-Doctor for Windows
2007-12-02 13:30 --------- d-----w C:\Program Files\a-squared Free
2007-12-02 12:28 --------- d-----w C:\Program Files\InterVideo
2007-12-02 11:48 --------- d-----w C:\Program Files\Snood
2007-12-02 11:48 --------- d-----w C:\Program Files\Common Files\aol
2007-11-20 01:07 --------- d-----w C:\Program Files\Picasa2
2007-11-17 15:29 10,068,261 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 23:49 --------- d-----w C:\Documents and Settings\Rachel\Application Data\Talkback
2007-10-17 22:27 --------- d-----w C:\Program Files\AIM
2007-10-17 22:26 --------- d-----w C:\Documents and Settings\customer\Application Data\Aim
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-06-12 16:03 C:\WINDOWS\system32\Ati2mdxx.exe]
"TrackPointSrv"="tp4serv.exe" [2002-03-20 06:05 C:\WINDOWS\system32\tp4serv.exe]
"TP4EX"="tp4ex.exe" [2002-02-22 01:04 C:\WINDOWS\system32\TP4EX.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2002-05-30 00:01]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-11-08 21:28]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 17:29]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2002-07-15 02:20]
"AGRSMMSG"="AGRSMMSG.exe" [2002-02-23 10:37 C:\WINDOWS\AGRSMMSG.exe]
"BMMGAG"="RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" []
"tcrinit"="C:\WINDOWS\svcwinra.exe" [2007-04-17 12:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"RegistryMechanic"="" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG511U Smart Wizard.lnk - C:\Program Files\NETGEAR\WG511U Configuration Utility\wlancfgu.exe [2007-12-06 15:51:18]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
backup=C:\WINDOWS\pss\Ralink Wireless Utility.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-25 19:52 50736 --a------ C:\Program Files\Common Files\AOL\1174254876\ee\AOLSoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 03:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe /server
R0 axwhisky;axwhisky;C:\WINDOWS\system32\DRIVERS\axwhisky.sys
R0 axwskbus;axwskbus;C:\WINDOWS\system32\DRIVERS\axwskbus.sys
R1 DSMBATT;DSMBATT;C:\WINDOWS\system32\drivers\DSMBATT.SYS
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\DNINDIS5.SYS
S3 wg51und5;NETGEAR WG511U Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wg51und5.sys
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 12:12:58 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\Bmmtask.exe
.
**************************************************************************
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-12-07 07:14:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\poof]
.
Completion time: 2007-12-07 7:17:39
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:28 AM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\svcwinra.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\NETGEAR\WG511U Configuration Utility\wlancfgu.exe
C:\WINDOWS\resfilter32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [tcrinit] C:\WINDOWS\svcwinra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Global Startup: NETGEAR WG511U Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -
http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1171589225082
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5130 bytes