And the Combo Fix.
ComboFix 13-04-10.01 - My Pc 04/10/2013 12:27:22.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1404 [GMT 3:00]
Running from: c:\documents and settings\My Pc\My Documents\Downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\CE325E3666.sys
C:\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2013-03-10 to 2013-04-10 )))))))))))))))))))))))))))))))
.
.
2013-04-10 09:22 . 2013-04-10 09:22 -------- d-----w- c:\windows\LastGood
2013-04-06 06:59 . 2013-04-06 06:59 -------- d-----w- c:\documents and settings\My Pc\Local Settings\Application Data\Adobe
2013-04-06 05:48 . 2013-04-06 05:48 -------- d-----w- C:\_OTL
2013-04-05 20:49 . 2013-04-05 20:49 -------- d-sh--w- c:\documents and settings\My Pc\IECompatCache
2013-04-05 11:06 . 2013-04-05 11:06 -------- d-----w- c:\program files\Common Files\Adobe
2013-04-03 12:25 . 2013-04-03 12:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-04-03 12:25 . 2012-12-14 13:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-23 18:00 . 2013-03-23 18:00 -------- d-----w- c:\program files\CCleaner
2013-03-23 17:45 . 2013-03-23 17:45 -------- d-----w- c:\documents and settings\My Pc\Application Data\Malwarebytes
2013-03-23 17:45 . 2013-04-03 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-03-22 08:52 . 2013-03-22 08:52 -------- d-----w- c:\windows\system32\wbem\Repository
2013-03-22 08:50 . 2013-03-22 08:50 -------- d-----w- c:\documents and settings\My Pc\Local Settings\Application Data\WMTools Downloaded Files
2013-03-22 08:50 . 2013-03-22 08:50 -------- d--h--w- c:\windows\PIF
2013-03-22 08:50 . 2013-03-22 08:50 -------- d-----w- c:\windows\PixArt
2013-03-22 08:50 . 2013-03-22 08:50 -------- d-----w- c:\program files\Common Files\PCCamera
2013-03-22 08:50 . 2013-03-22 08:50 -------- d-----w- c:\windows\Downloaded Installations
2013-03-22 08:50 . 2013-03-22 08:50 -------- d-----w- c:\program files\Trust
2013-03-22 08:47 . 2013-03-22 08:47 -------- d-----w- c:\program files\MSXML 4.0
2013-03-22 08:45 . 2013-03-22 08:45 -------- d-----w- c:\windows\system32\Lang
2013-03-22 08:45 . 2013-03-22 08:45 -------- d-----w- c:\windows\system32\RTCOM
2013-03-22 08:45 . 2013-03-22 08:45 -------- d-----w- c:\program files\Realtek
2013-03-22 08:45 . 2013-03-22 08:45 -------- d-----w- c:\documents and settings\My Pc\Application Data\InstallShield
2013-03-22 08:44 . 2013-03-22 08:44 -------- d-----w- c:\program files\Microsoft Works
2013-03-22 08:43 . 2013-03-22 08:43 -------- d-----w- c:\documents and settings\My Pc\Local Settings\Application Data\Microsoft Help
2013-03-22 08:43 . 2013-03-22 08:43 -------- d-----w- c:\documents and settings\My Pc\Local Settings\Application Data\Help
2013-03-18 15:30 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-18 15:27 . 2013-03-22 08:39 -------- d-s---w- c:\documents and settings\Administrator
2013-03-18 15:20 . 2013-03-18 15:20 -------- d-----w- c:\documents and settings\LocalService\IETldCache
2013-03-18 09:06 . 2013-03-18 09:06 -------- d-----w- c:\documents and settings\My Pc\Local Settings\Application Data\visi_coupon
2013-03-16 22:47 . 2013-03-16 22:47 -------- d-----w- c:\documents and settings\My Pc\Local Settings\Application Data\Nero
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-20 19:39 . 2013-02-20 19:39 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-20 19:39 . 2013-02-20 19:30 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-20 19:12 . 2013-02-20 19:07 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2013-02-20 18:19 . 2013-02-20 18:19 315392 ----a-w- c:\windows\HideWin.exe
2013-02-12 00:32 . 2008-04-14 14:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2008-04-14 14:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2008-04-14 14:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2008-04-14 14:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2008-04-14 14:00 385024 ----a-w- c:\windows\system32\html.iec
2013-01-26 03:55 . 2008-04-14 14:00 552448 ----a-w- c:\windows\system32\oleaut32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-25 6595928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-03-19 2029640]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/19/2009 12:44 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/19/2009 12:45 PM 93848]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/19/2009 12:44 PM 731840]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.sys [2/24/2005 1:29 PM 162176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-02 12:48 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.43\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-20 19:39]
.
2013-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-21 08:43]
.
2013-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-21 08:43]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\My Pc\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\My Pc\Application Data\Mozilla\Firefox\Profiles\zo8gqx88.default\
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-03-18 11:07; {635abd67-4fe9-1b23-4f01-e679fa7484c1}; c:\documents and settings\My Pc\Application Data\Mozilla\Firefox\Profiles\zo8gqx88.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2013-04-10 12:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3944)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2013-04-10 12:31:53
ComboFix-quarantined-files.txt 2013-04-10 09:31
.
Pre-Run: 1,892,757,504 bytes free
Post-Run: 1,883,181,056 bytes free
.
- - End Of File - - 2F6287257BCB8200C807791F2D38B99D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Huh? When I ran ComboFix (and disabled my antivirus) my internet was disconected, and when I restarted , everything went back to normal.
And, it didn't ask me to restart it. Strange.
Anyway, the problem is still here