Thank you. Here is my Combofix log file:
ComboFix 10-05-10.02 - Administrator 05/11/2010 9:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.631.400 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\ezpinst.log
c:\windows\system32\VB6KO.DLL
c:\windows\YAHELITE.INI
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SSHNAS
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.
2010-05-10 08:36 . 2010-04-29 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-10 08:36 . 2010-04-29 10:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-06 10:30 . 2010-05-06 10:30 115004 ----a-w- c:\documents and settings\Administrator\Application Data\OpenCandy\WeFiSetup_5_142_513Wrapped.exe
2010-05-06 10:30 . 2010-05-06 10:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenCandy
2010-05-06 04:36 . 2010-05-06 04:36 33824 ----a-w- c:\windows\system32\drivers\oreans32.sys
2010-05-06 02:45 . 2010-05-06 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2010-04-18 02:47 . 2010-04-18 02:47 -------- d--h--w- c:\windows\PIF
2010-04-17 14:46 . 2010-04-17 14:46 -------- d-----w- c:\windows\Sun
2010-04-17 14:46 . 2010-04-17 14:46 -------- d-----w- c:\program files\Common Files\Java
2010-04-17 14:45 . 2010-04-17 14:44 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-17 14:44 . 2010-04-17 14:44 -------- d-----w- c:\program files\Java
2010-04-17 13:07 . 1998-07-21 18:30 102912 ----a-w- c:\windows\system32\Vb6stkit.dll
2010-04-17 13:05 . 2010-04-17 13:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\CyberLink
2010-04-17 13:04 . 2010-04-17 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-04-17 12:59 . 2007-01-08 16:47 27168 ------w- c:\windows\system32\msxml3a.dll
2010-04-17 12:56 . 2007-01-08 16:47 502816 ------w- c:\windows\system32\msvcp71.dll
2010-04-17 12:56 . 2007-01-08 16:47 351264 ------w- c:\windows\system32\msvcr71.dll
2010-04-17 12:55 . 2010-04-17 12:55 -------- d-----w- c:\program files\CyberLink
2010-04-17 11:50 . 2010-04-17 11:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2010-04-11 16:17 . 2010-04-11 16:17 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-04-11 16:17 . 2010-04-11 16:17 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-04-11 15:27 . 2010-05-06 02:23 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-11 15:27 . 2010-05-06 02:23 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-11 15:24 . 2010-05-11 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-11 15:24 . 2010-04-11 15:24 -------- d-----w- c:\program files\Kaspersky Lab
2010-04-11 15:12 . 2010-04-11 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 03:53 . 2010-02-12 14:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\DMCache
2010-05-10 09:30 . 2010-03-06 07:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-05-10 08:37 . 2010-01-28 17:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-17 13:14 . 2010-01-30 08:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso
2010-04-11 15:18 . 2010-01-26 15:30 -------- d-----w- c:\program files\COMODO
2010-04-01 09:14 . 2010-04-01 09:14 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e39d902-n\msvcp71.dll
2010-04-01 09:14 . 2010-04-01 09:14 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e39d902-n\jmc.dll
2010-04-01 09:14 . 2010-04-01 09:14 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2e39d902-n\msvcr71.dll
2010-04-01 09:13 . 2010-04-01 09:13 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-735418e4-n\decora-sse.dll
2010-04-01 09:13 . 2010-04-01 09:13 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-735418e4-n\decora-d3d.dll
2010-03-13 13:44 . 2010-02-12 14:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\IDM
2010-03-13 12:59 . 2010-02-12 14:14 -------- d-----w- c:\program files\Internet Download Manager
2010-03-13 02:04 . 2010-03-13 01:58 3153784 ----a-w- c:\documents and settings\Administrator\Application Data\IDM\idmupdt.exe
2010-03-10 06:15 . 2004-09-01 00:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-09-01 00:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-09-01 00:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 03:40 . 2004-09-01 00:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-13 17:25 . 2010-01-26 16:09 69232 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-12 14:15 . 2010-02-12 14:15 198064 ----a-w- c:\documents and settings\Administrator\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2010-02-12 04:33 . 2004-09-01 00:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 02:11 . 2010-02-06 09:00 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-11 12:02 . 2004-09-01 00:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-11-11 3171760]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-28 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-02-21 28675]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-04-24 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-04-24 106496]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 46592]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-20 340456]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\utorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [5/6/2010 10:06 AM 33824]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\g:\ntglm7x.sys --> g:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-05-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1060284298-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-28 15:14]
2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1060284298-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-28 15:14]
2010-05-11 c:\windows\Tasks\User_Feed_Synchronization-{207454FA-0C73-4089-962C-1746A52F7C4B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 23:01]
.
.
------- Supplementary Scan -------
.
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cq0ekils.default\
FF - component: c:\documents and settings\Administrator\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\Mozilla *Blocked Russian URL*\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_
everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a
s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-05-11 09:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-299502267-1060284298-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5
977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,59,2c,03,53,44,8f,4e,a9,aa,5b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839
E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,59,2c,03,53,44,8f,4e,a9,aa,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):e7,9d,60,d9,59,56,fb,bb,99,ea,ea,a7,fb,0c,45,79,94,53,f6,06,a2,
03,76,8d,31,9e,9a,a6,c7,77,73,89,d5,03,69,68,0e,02,39,2d,00,00,00,00,00,00,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{87bf9f6e-1abd-4994-80ac-6f3e63a9ca40}]
@Denied: (Full) (Everyone)
"Model"=dword:00000063
"Therad"=dword:00000001
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1064)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\program files\Internet Download Manager\idmmkb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WgaTray.exe
c:\windows\SOUNDMAN.EXE
c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\windows\system32\logon.scr
.
**************************************************************************
.
Completion time: 2010-05-11 09:29:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-11 03:59
Pre-Run: 13,243,813,888 bytes free
Post-Run: 13,149,892,608 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - FEF9598E5635430DD2D1F27F0E3973BA