I hope I did this right. I thought it worked, but now my internet is acting funny (I'm having to post this from another computer....)
1. Combo LogComboFix 08-09-22.06 -
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
ADS - WINDOWS: deleted 24 bytes in 1 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\msssc.dll
C:\WINDOWS\system32\NpXHNXbc.ini
C:\xcrashdump.dat
.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.
2008-09-22 18:27 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-22 18:25 . 2008-09-22 18:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-22 18:23 . 2008-09-22 18:23 <DIR> d-------- C:\WINDOWS\Sun
2008-09-21 22:09 . 2008-09-21 22:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-21 22:09 . 2008-09-21 22:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-09-21 22:09 . 2008-09-21 22:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-21 22:09 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-21 22:09 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-21 20:19 . 2008-09-21 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-21 20:18 . 2008-09-21 20:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-21 20:18 . 2008-09-21 20:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-09-21 20:14 . 2008-09-21 20:14 <DIR> d-------- C:\Program Files\CCleaner
2008-09-14 21:18 . 2008-09-14 21:18 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-09-14 18:34 . 2008-09-14 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-09-14 15:22 . 2008-09-23 18:41 902 --a------ C:\WINDOWS\QUICKEN.INI
2008-09-14 15:21 . 2008-09-14 15:21 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-09-14 15:20 . 2008-09-23 18:41 <DIR> d-------- C:\Program Files\Quicken
2008-09-14 15:04 . 2008-09-14 15:04 1,987 -rahs---- C:\WINDOWS\system32\drivers\HP_Pavilion zv5200 (PF144UA ABA)_YN_Pavi_QCND426_E_4_I08A0_SCompal_V32.
22_BF.11_T040430_WXH2_L409_M512_J80_7AM
D_8Athlon 64 3200+_91.99_1104C8026_N_P104CAC54_Z10DE00D9_K_A10DE00DA_U10DE00D7_G10DE0179.MRK
2008-09-14 15:01 . 1999-11-10 11:05 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2008-09-14 15:00 . 2008-09-23 18:39 <DIR> d-------- C:\Program Files\QuickTime
2008-09-14 15:00 . 2008-09-14 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-09-14 14:44 . 2008-09-22 18:27 <DIR> d-------- C:\Program Files\Java
2008-09-14 14:43 . 2008-09-14 14:43 <DIR> d-------- C:\Program Files\Common Files\Sonic
2008-09-14 14:43 . 2008-09-14 14:43 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-14 14:43 . 2008-09-14 14:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sonic
2008-09-14 14:41 . 2008-09-14 14:41 <DIR> d-------- C:\Program Files\Sonic
2008-09-14 14:41 . 2008-09-14 14:41 <DIR> d-------- C:\Program Files\RecordNow!
2008-09-14 14:41 . 2008-09-14 14:41 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-09-14 14:39 . 2008-09-14 14:39 <DIR> d-------- C:\i386
2008-09-14 14:39 . 2003-08-18 00:16 65,536 --------- C:\WINDOWS\system32\QlbServr.exe
2008-09-14 14:39 . 2003-08-18 00:00 49,152 -r------- C:\WINDOWS\system32\eabcoins.dll
2008-09-14 14:08 . 2008-09-14 14:08 79 --a------ C:\WINDOWS\system32\NVU003.nvu
2008-09-13 23:04 . 2008-09-14 10:24 149 --a------ C:\WINDOWS\wininit.ini
2008-09-13 22:39 . 2008-09-13 22:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-13 22:39 . 2008-09-23 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-13 21:54 . 2008-09-13 21:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-13 21:54 . 2008-09-13 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-13 18:49 . 2003-05-22 19:55 483,328 --a------ C:\WINDOWS\system32\hphmon05.exe
2008-09-13 18:48 . 2008-09-13 18:49 18,403 --a------ C:\WINDOWS\HPHins01.dat
2008-09-13 18:48 . 2003-05-22 19:44 6,848 --a------ C:\WINDOWS\system32\hphmon05.dat
2008-09-13 18:48 . 2003-05-22 19:44 4,308 --------- C:\WINDOWS\hphmdl01.dat
2008-09-13 18:44 . 2008-09-13 18:44 <DIR> d-------- C:\swsetup
2008-09-13 18:44 . 2002-10-15 09:13 32,356 --------- C:\WINDOWS\system32\pusbfd1.sys
2008-09-13 18:44 . 2002-10-15 09:13 26,629 --------- C:\WINDOWS\system32\pusbfd2.vxd
2008-09-13 18:42 . 2004-08-03 10:08 3,125,248 --a------ C:\WINDOWS\system32\hpqPres.dll
2008-09-13 18:42 . 2004-08-03 10:33 221,184 --a------ C:\WINDOWS\system32\cpqinfo.dll
2008-09-13 18:42 . 2004-07-30 08:33 65,536 --a------ C:\WINDOWS\system32\hpqactn.dll
2008-09-13 18:42 . 2004-04-13 10:30 32,768 --a------ C:\WINDOWS\system32\eabhbrn8.dll
2008-09-13 18:42 . 2003-08-17 23:57 7,080 -r------- C:\WINDOWS\system32\drivers\eabfiltr.sys
2008-09-13 18:42 . 2003-06-05 21:46 5,220 -r------- C:\WINDOWS\system32\drivers\eabusb.sys
2008-09-13 18:38 . 2008-09-13 18:38 <DIR> d-------- C:\Program Files\muvee Technologies
2008-09-13 18:38 . 2008-09-13 18:38 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2008-09-13 18:38 . 2008-09-13 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-09-13 18:36 . 2003-07-25 07:50 137 --a------ C:\WINDOWS\system32\oeminfo.ini
2008-09-13 18:35 . 2008-09-14 14:21 <DIR> d-------- C:\Program Files\InterVideo
2008-09-13 18:34 . 2004-05-11 03:48 5,760,056 -ra------ C:\WINDOWS\Blue Sonic.bmp
2008-09-13 18:34 . 2003-01-24 06:27 22,198 -ra------ C:\WINDOWS\system32\OEMLogo.bmp
2008-09-13 18:34 . 2004-01-06 12:00 13,942 -ra------ C:\WINDOWS\accessories.ico
2008-09-13 18:34 . 2004-02-24 09:20 4,286 -ra------ C:\WINDOWS\hpmusic.ico
2008-09-13 18:33 . 2008-09-14 14:17 <DIR> d-------- C:\Program Files\HPQ
2008-09-13 18:33 . 2003-05-24 05:49 5,760,056 -ra------ C:\WINDOWS\Fractal Blue.bmp
2008-09-13 18:33 . 2003-05-24 05:44 5,760,056 -ra------ C:\WINDOWS\Crystal Rush.bmp
2008-09-13 18:30 . 2008-09-13 18:30 79 --a------ C:\WINDOWS\system32\NVU002.nvu
2008-09-13 17:46 . 2007-11-20 21:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-09-13 17:46 . 2008-09-13 17:46 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-11 19:16 . 2008-09-13 18:48 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-09-11 19:16 . 2008-09-11 19:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-09-11 16:45 . 2008-09-22 18:55 <DIR> d-------- C:\QUARANTINE
2008-09-11 16:36 . 2008-09-11 16:36 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-09-11 16:36 . 2008-09-11 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-11 16:36 . 2007-10-25 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-09-11 16:36 . 2007-10-25 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-09-11 16:35 . 2008-05-22 20:50 174,952 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-09-11 16:35 . 2008-05-22 20:50 72,936 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-09-11 16:35 . 2008-05-22 20:50 64,232 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-09-11 16:35 . 2008-05-22 20:50 52,104 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-09-11 16:35 . 2008-05-22 20:50 33,960 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-09-11 16:34 . 2008-09-11 16:36 <DIR> d-------- C:\Program Files\McAfee
2008-09-11 16:34 . 2008-09-11 16:34 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-09-08 21:42 . 2008-09-13 18:50 <DIR> d-a------ C:\hp
2008-09-05 20:28 . 2008-09-21 21:59 722,135 --ahs---- C:\WINDOWS\system32\NpXHNXbc.ini2
2008-08-30 18:56 . 2008-08-30 18:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DeepBurner
2008-08-27 15:26 . 2008-08-27 16:45 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 00:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-24 00:36 --------- d-----w C:\Program Files\iPod
2008-09-22 02:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-15 03:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-15 03:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-11 22:01 --------- d-----w C:\Program Files\WinFF
2008-09-09 02:22 --------- d-----w C:\Program Files\Rhapsody
2008-09-09 01:29 --------- d-----w C:\Program Files\E.M. DVD Copy
2008-09-08 01:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\DVD Flick
2008-08-30 00:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Winff
2008-08-19 19:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\ICAClient
2008-08-19 19:19 --------- d-----w C:\Program Files\Citrix
2008-08-19 01:36 --------- d-----w C:\Program Files\dvdSanta
2008-08-17 03:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2008-08-12 02:13 --------- d-----w C:\Program Files\iSofter
2008-08-10 23:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-08-10 22:14 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-08-10 21:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVS4YOU
2008-08-10 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-08-05 01:21 --------- d-----w C:\Program Files\Common Files\HP
.
------- Sigcheck -------
2003-03-31 13:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-09-11 16:02 502272 9b1bd82bd0761b5ba986af66d2809c30 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-07 4730880]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-05-22 483328]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2004-04-07 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 C:\WINDOWS\AGRSMMSG.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"VIDC.X264"= x264vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
HKCU-Run-RecordNow! - (no file)
HKLM-Run-NBKeyScan - C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-QuickTime Task - C:\Program Files\QuickTime\qttask.exe
HKLM-Run-iTunesHelper - C:\Program Files\iTunes\iTunesHelper.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fmpr7v5j.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-09-23 19:15:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?
?6?8?1?9??`?
???B?
??B?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-23 19:18:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-24 01:18:07
Pre-Run: 63,931,068,416 bytes free
Post-Run: 64,030,593,024 bytes free
221 --- E O F --- 2008-09-23 03:39:32