DragonMaster Jay, here is the post. I started the system in safe mode and first ran the rkill program, which seemed to work. After that I ran the ComboFix and here is the log:
ComboFix 10-04-21.01 - ppratt 04/24/2010 17:00:00.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.677 [GMT -4:00]
Running from: c:\documents and settings\Cressida Silvers\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Cressida Silvers\Local Settings\Application Data\hmsnddgyf\vixqnsftssd.exe
c:\windows\asam.exe
c:\windows\eSellerateEngine.dll
c:\windows\herjek.config
.
((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.
2010-04-23 17:43 . 2010-04-23 17:43 61184 ----a-w- c:\documents and settings\Cressida Silvers\Local Settings\Application Data\syssvc.exe
2010-04-23 17:41 . 2010-04-24 21:04 -------- d-----w- c:\documents and settings\Cressida Silvers\Local Settings\Application Data\hmsnddgyf
2010-04-10 23:51 . 2010-04-10 23:51 -------- d-----w- c:\program files\WindSolutions
2010-04-10 23:51 . 2010-04-10 23:54 -------- d-----w- c:\documents and settings\Cressida Silvers\Application Data\WindSolutions
2010-04-10 23:51 . 2010-04-10 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 20:33 . 2008-07-18 16:05 -------- d-----w- c:\program files\Symantec AntiVirus
2010-04-22 16:39 . 2010-01-05 21:10 40252 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-16 00:19 . 2005-10-20 14:25 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-25 18:14 . 2005-04-22 19:08 46800 ----a-w- c:\documents and settings\Cressida Silvers\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 2005-06-22 17:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2005-06-22 17:52 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-06-22 17:49 455680 ------w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2004-08-03 23:18 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2005-06-22 17:46 100864 ------w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-06-22 17:51 226880 ------w- c:\windows\system32\drivers\tcpip6.sys
2010-02-09 19:57 . 2010-02-09 19:57 45056 ----a-w- c:\documents and settings\Cressida Silvers\Application Data\Sun\Java\Deployment\cache\javaws\http\Dqedoc.net\P80\DMqqp\RNlibraries.jar\jniwrap.dll
2005-07-01 15:55 . 2005-07-01 15:55 2649 ----a-w- c:\program files\Psyllids at Andytown update.eml
2004-05-19 13:51 . 2006-08-31 17:41 10339 ----a-w- c:\program files\sas91_859417.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Cressida Silvers\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-19 135664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2003-12-17 1241138]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 69632]
"HP SchedIndexer"="c:\program files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe" [2002-01-03 94208]
"HP AutoIndexer"="c:\program files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe" [2002-01-03 90112]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-20 244208]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2008-04-07 113136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"MPlayer2_FixUp"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]
c:\documents and settings\ppratt\Start Menu\Programs\Startup\
HotSync Manager.LNK - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]
c:\documents and settings\Cressida Silvers\Start Menu\Programs\Startup\
HotSync Manager.LNK - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-7-7 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-6-30 113664]
HP LaserJet Director.lnk - c:\program files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe [2005-6-28 204800]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"filteradministratortoken"= 1 (0x1)
"ReportControllerMissing"= 1 (0x1)
"LogonType"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"PreXPSP2ShellProtocolBehavior"= 0 (0x0)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Gateway\\HPA\\GWMenu.exe"=
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"=
"c:\\Program Files\\Retrospect\\Retrospect Client\\retroclient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
S2 Retrospect Client;Retrospect Client;c:\program files\Retrospect\Retrospect Client\RemotSvc.exe [3/20/2006 10:39 AM 61440]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [5/20/2008 9:15 AM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/20/2008 9:13 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/20/2008 9:13 AM 166384]
S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [8/15/2009 1:31 PM 17149]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/13/2009 11:54 AM 101936]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [5/20/2008 9:15 AM 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/20/2008 9:12 AM 1120752]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [8/15/2009 1:31 PM 384608]
.
Contents of the 'Scheduled Tasks' folder
2010-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-861567501-682003330-1003Core.job
- c:\documents and settings\Cressida Silvers\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-19 22:41]
2010-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-861567501-682003330-1003UA.job
- c:\documents and settings\Cressida Silvers\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-19 22:41]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF}
FF - ProfilePath - c:\documents and settings\Cressida Silvers\Application Data\Mozilla\Firefox\Profiles\w1zfhx73.Default User 2\
FF - prefs.js: browser.startup.homepage - hxxp://cnn.com
FF - plugin: c:\documents and settings\Cressida Silvers\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Cressida Silvers\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13117.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_
everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a
s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-chwgonkc - c:\documents and settings\Cressida Silvers\Local Settings\Application Data\hmsnddgyf\vixqnsftssd.exe
HKCU-Run-asam - c:\windows\asam.exe
HKLM-Run-chwgonkc - c:\documents and settings\Cressida Silvers\Local Settings\Application Data\hmsnddgyf\vixqnsftssd.exe
HKLM-Run-asam - c:\windows\asam.exe
AddRemove-McAfee Security Scan - c:\program files\McAfee Security Scan\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-04-24 17:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-04-24 17:10:19
ComboFix-quarantined-files.txt 2010-04-24 21:10
Pre-Run: 8,021,364,736 bytes free
Post-Run: 12,825,636,864 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - EB5129E6AA2056EE64DF83BE96E018F7