Webuser Forums: help with father-in-laws hijack this log please

hope this is it,i've disabled spybot as instructed.i did notice that when i ran combofix on it's own it shows completed stages 1-stages 43,but when cfscript is added the completed list runs from stage 2-stage 43,not sure if that matters.

ComboFix 08-02-14.2 - david douglas 2008-02-17 9:46:19.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.306 [GMT 0:00]
Running from: C:\Documents and Settings\david douglas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\david douglas\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\append.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-02-14 10:31 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 13:07 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-14 10:30 . 2008-02-14 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-14 10:22 . 2008-02-14 10:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-13 20:08 . 2008-02-13 20:08 0 --a------ C:\WINDOWS\SETUP32.INI
2008-02-13 19:55 . 2008-02-13 19:55 <DIR> d-------- C:\Program Files\directx
2008-02-13 19:51 . 2008-02-13 19:51 36 --a------ C:\WINDOWS\Tiny_Run.ini
2008-02-13 19:49 . 2008-02-13 19:49 <DIR> d-------- C:\Program Files\Zoo
2008-02-13 19:49 . 2004-02-20 22:20 131,072 -ra------ C:\WINDOWS\system32\duninstall.exe
2008-02-13 19:49 . 2008-02-13 19:49 47 --a------ C:\WINDOWS\1.0
2008-02-12 16:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-12 16:54 . 2008-02-12 16:55 <DIR> d-------- C:\Program Files\Java
2008-02-12 16:19 . 2008-02-12 16:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-12 12:11 . 2008-02-12 12:11 <DIR> d-------- C:\Program Files\ToniArts
2008-02-12 10:53 . 2008-02-12 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 17:31 . 2008-02-11 17:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-11 17:31 . 2008-02-11 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 11:29 . 2008-02-11 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 20:49 . 2008-02-10 20:49 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Spybot - Search & Destroy
2008-02-10 20:49 . 2008-02-11 19:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\AVG7
2008-02-10 20:48 . 2008-02-10 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 19:10 . 2008-02-10 19:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 19:08 . 2008-02-10 19:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 19:06 . 2008-02-10 19:06 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-10 18:32 . 2008-02-11 13:05 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-10 18:17 . 2008-02-17 09:30 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\david douglas\Application Data\Simply Super Software
2008-02-10 18:17 . 2008-02-12 20:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 18:17 . 2008-02-10 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-10 18:17 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-10 18:17 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-10 18:17 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-10 18:17 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-10 18:17 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-10 18:14 . 2008-02-10 18:14 <DIR> d-------- C:\Program Files\AML Products
2008-02-10 18:14 . 1998-12-24 20:23 40,960 --a------ C:\WINDOWS\system32\VBAME.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 12:30 --------- d-----w C:\Program Files\BitComet
2008-02-14 08:56 --------- d-----w C:\Program Files\Dl_cats
2008-02-14 08:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-10 19:15 --------- d-----w C:\Documents and Settings\david douglas\Application Data\Lavasoft
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 18:09 68856]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 21:46 135168]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 23:10 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 19:36 729178]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 13:58 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 07:45 430080]
"MemoryCardManager"="" []
"BTopenworld"="c:\program files\bt yahoo! internet\DialBTYahoo.exe" [2007-10-14 13:10 333472]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 06:39 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-12-04 21:03 36640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 01:17 443968]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 20:49 219136]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll

R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 08:19]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 09:51:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
.
**************************************************************************
.
Completion time: 2008-02-17 9:53:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 09:53:25
ComboFix2.txt 2008-02-16 10:56:32
ComboFix3.txt 2008-02-15 14:20:20
ComboFix4.txt 2008-02-12 17:29:03
.
2008-02-16 10:29:37 --- E O F ---

thanks again
jim

Post Extras