Here are the addresses of the first two files scans:
http://virusscan.jotti.org/en/scanresult/e6852ba9f5888fca2f933434f3accef4b4eb4b49http://virusscan.jotti.org/en/scanresult/b1128c2f49b2d1c2543fc22ed0c1b2aba36b7255/150ad70df8416dd28bc88abe502f9a8fea5a6d98Here is the new ComboFix log:
ComboFix 10-09-03.02 - Gladimir 09/04/2010 7:35.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.530 [GMT -3:00]
Running from: c:\documents and settings\Gladimir\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gladimir\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FILE ::
"c:\windows\logo_1.exe"
"c:\windows\logo1_.exe"
"c:\windows\R.COM"
"c:\windows\RUNDL132.EXE"
"c:\windows\system32\runouce.exe"
"c:\windows\system32\T.COM"
"c:\windows\VDLL.DLL"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\R.COM
c:\windows\system32\T.COM
.
((((((((((((((((((((((((( Files Created from 2010-08-04 to 2010-09-04 )))))))))))))))))))))))))))))))
.
2010-09-03 04:28 . 2010-09-03 04:28 -------- d-----w- c:\documents and settings\Gladimir\Application Data\Artweaver
2010-09-03 04:28 . 2010-09-03 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Artweaver
2010-09-01 20:47 . 2010-09-01 20:47 -------- d-----w- c:\documents and settings\Gladimir\Application Data\Malwarebytes
2010-09-01 17:37 . 2010-09-01 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-09-01 17:35 . 2010-09-03 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-08-31 19:09 . 2010-08-31 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\MicroWorld
2010-08-31 18:59 . 2010-08-31 19:05 -------- d-----w- c:\documents and settings\Gladimir\Application Data\Download Manager
2010-08-30 22:11 . 2010-08-30 22:12 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}
2010-08-30 20:31 . 2010-08-30 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-08-30 05:16 . 2010-09-04 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-08-30 04:58 . 2010-08-30 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-28 19:02 . 2010-08-30 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-27 19:33 . 2008-10-15 21:02 -------- d-----w- c:\documents and settings\Gladimir\Application Data\InstallShield
2010-08-27 19:33 . 2008-08-15 18:10 -------- d-----w- c:\documents and settings\Gladimir\Application Data\SiteAdvisor
2010-08-19 23:27 . 2010-08-20 04:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-19 16:44 . 2010-08-20 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-17 05:30 . 2010-08-17 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-17 00:46 . 2010-08-17 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 04:28 . 2010-09-03 04:28 -------- d-----w- c:\program files\Artweaver 1.0
2010-09-03 04:18 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-03 02:48 . 2010-09-03 02:48 -------- d-----w- c:\program files\Common Files\Java
2010-09-03 02:47 . 2010-07-10 23:13 -------- d-----w- c:\program files\Java
2010-09-03 02:03 . 2010-09-03 02:03 388096 ----a-r- c:\documents and settings\Gladimir\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-03 02:02 . 2010-09-03 02:02 -------- d-----w- c:\program files\Trend Micro
2010-09-02 17:48 . 2010-09-02 17:48 344 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-01 17:42 . 2010-09-01 17:42 692224 ---ha-w- C:\SZKGFS.dat
2010-09-01 17:35 . 2010-09-01 17:35 -------- d-----w- c:\program files\Common Files\iS3
2010-09-01 05:24 . 2010-08-21 13:36 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-01 02:21 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-01 00:52 . 2010-09-01 00:43 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-08-31 19:26 . 2010-08-31 19:24 5392374 ----a-w- c:\windows\REGBK00.ZIP
2010-08-31 19:10 . 2010-08-31 19:10 632064 ----a-w- c:\windows\system32\msvcr80.dll
2010-08-31 19:10 . 2010-08-31 19:10 554240 ----a-w- c:\windows\system32\msvcp80.dll
2010-08-31 19:10 . 2010-08-31 19:10 34048 ----a-w- c:\windows\system32\eEmpty.exe
2010-08-31 19:10 . 2010-08-31 19:10 -------- d-----w- c:\program files\Common Files\MicroWorld
2010-08-31 05:32 . 2010-08-31 05:26 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-30 23:25 . 2010-03-11 04:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-30 22:12 . 2010-08-30 22:12 -------- d-----w- c:\program files\Webroot
2010-08-30 04:58 . 2010-08-30 04:58 -------- d-----w- c:\program files\Alwil Software
2010-08-29 05:02 . 2010-08-29 05:02 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-29 02:34 . 2010-03-11 04:45 -------- d-----w- c:\program files\Norton SystemWorks
2010-08-29 01:53 . 2010-03-11 04:45 -------- d-----w- c:\program files\Symantec
2010-08-29 01:53 . 2010-03-11 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-08-27 19:44 . 2010-08-27 19:44 503808 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\msvcp71.dll
2010-08-27 19:44 . 2010-08-27 19:44 499712 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\jmc.dll
2010-08-27 19:44 . 2010-08-27 19:44 61440 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-43c9410f-n\decora-sse.dll
2010-08-27 19:44 . 2010-08-27 19:44 348160 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\msvcr71.dll
2010-08-27 19:44 . 2010-08-27 19:44 12800 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-43c9410f-n\decora-d3d.dll
2010-08-27 19:38 . 2010-08-27 19:36 65720 ----a-w- c:\documents and settings\Gladimir\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-21 10:35 . 2010-08-21 10:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-21 10:23 . 2010-08-27 19:33 38784 ----a-w- c:\documents and settings\Gladimir\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-20 04:49 . 2010-08-19 16:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-19 22:32 . 2010-05-27 08:54 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-19 21:37 . 2010-03-10 23:13 -------- d-----w- c:\program files\Windows Media Connect 2
2010-08-19 20:07 . 2010-08-19 19:52 164 ----a-w- c:\windows\install.dat
2010-08-18 00:30 . 2010-08-18 00:30 -------- d-----w- c:\program files\Panda Security
2010-08-17 05:30 . 2010-08-17 05:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 00:47 . 2010-08-17 00:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-17 00:12 . 2010-08-17 00:12 90112 ----a-w- c:\windows\system32\YmsgCrypt.dll
2010-08-17 00:12 . 2010-08-17 00:12 139264 ----a-w- c:\windows\system32\DartCertificate.dll
2010-08-17 00:12 . 2010-08-17 00:12 147456 ----a-w- c:\windows\system32\DartSecure2.dll
2010-08-17 00:12 . 2010-08-17 00:11 212992 ----a-w- c:\windows\system32\DartSock.dll
2010-08-16 18:20 . 2010-08-30 22:12 3199328 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\WRInstall.exe
2010-08-16 18:18 . 2010-08-30 22:10 385928 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\54E229FA\DE0A17F3\WRInstallProgressHelper.dll
2010-08-16 18:18 . 2010-08-30 22:10 433072 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\FA6F4296\DE0A17F3\WRSvcAssist.exe
2010-08-16 18:17 . 2010-08-30 22:10 1266336 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\B2785152\DE0A17F3\WRTray.exe
2010-08-16 18:15 . 2010-08-30 22:10 50984 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\C3BEFA\DE0A17F3\WRConsumerServicePS.dll
2010-08-16 18:13 . 2010-08-30 22:10 3035616 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\E3131F5C\DE0A17F3\WRConsumerService.exe
2010-08-16 18:07 . 2010-08-30 22:10 121856 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\EA369C90\DE0A17F3\xmllite.dll
2010-07-17 08:00 . 2010-07-10 23:14 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-06 21:13 . 2010-05-22 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-06 21:13 . 2010-05-22 17:19 -------- d-----w- c:\program files\Common Files\Apple
2010-06-30 12:31 . 2008-04-15 03:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 20:57 . 2010-08-30 04:59 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-08-30 04:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-08-30 05:00 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-08-30 05:00 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-08-30 05:00 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-08-30 05:00 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-08-30 05:00 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-08-30 05:00 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-08-30 05:00 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-24 12:22 . 2007-08-14 01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-15 03:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-15 03:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 17:49 . 2010-08-30 22:18 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2010-06-17 17:49 . 2010-08-30 22:18 182056 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2010-06-17 17:49 . 2010-08-30 22:18 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2010-06-17 14:03 . 2008-04-15 03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-04-15 03:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-15 03:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-08-27 19:44 . 2010-08-27 19:44 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2010-08-16 1266336]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ontrack\\PowerDesk\\PDExplo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ontrack\\PowerDesk\\PDWIZARD.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowRedirect"= 1 (0x1)
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/17/2010 9:30 PM 28552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/30/2010 2:00 AM 165456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 3:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 3:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/30/2010 2:00 AM 17744]
R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [8/30/2010 7:18 PM 45072]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [8/16/2010 3:13 PM 3035616]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 1:01 PM 254976]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 2:26 PM 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/20/2009 3:30 PM 30192]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2/20/2009 3:34 PM 96856]
.
Contents of the 'Scheduled Tasks' folder
2010-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 17:26]
2010-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 17:26]
2010-09-04 c:\windows\Tasks\User_Feed_Synchronization-{479C7E99-7F92-404A-A968-D4AB250DDB21}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Gladimir\Application Data\Mozilla\Firefox\Profiles\fedsd5fu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/results.php?f=5&a=wbst&q=
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-09-04 07:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@SACL=
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1984)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Webroot\Security\current\plugins\antimalware\AEI.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\docume~1\Gladimir\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2010-09-04 08:07:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-04 11:07
ComboFix2.txt 2010-09-03 05:28
Pre-Run: 136,135,667,712 bytes free
Post-Run: 136,135,733,248 bytes free
- - End Of File - - 05C16ABB34E21D9070BFD6330EA3CC9A
Here is the RootRepeal log:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/09/04 17:51
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xA8F7C000 Size: 31744 File Visible: No Signed: -
Status: -
Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF7587000 Size: 60416 File Visible: No Signed: -
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA981E000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A23000 Size: 8192 File Visible: No Signed: -
Status: -
Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xA7CF5000 Size: 143744 File Visible: - Signed: -
Status: Hidden from the Windows API!
Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF79ED000 Size: 8192 File Visible: No Signed: -
Status: -
Name: mbr.sys
Image Path: C:\DOCUME~1\Gladimir\LOCALS~1\Temp\mbr.sys
Address: 0xF785F000 Size: 20864 File Visible: No Signed: -
Status: -
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF726C000 Size: 574976 File Visible: - Signed: -
Status: Hidden from the Windows API!
Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7A69000 Size: 7872 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7DE9000 Size: 49152 File Visible: No Signed: -
Status: -
Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xA9A29000 Size: 361600 File Visible: - Signed: -
Status: Hidden from the Windows API!
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x86bd1eb8
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dcd2
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987db8e
#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x86bbf290
#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x86bbf218
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x86b5c240
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987e142
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987e06c
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987d764
#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dc68
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987d6a4
#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987d708
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dd88
#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x86bd1f30
#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x86bd1dc8
#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987e210
#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dd48
#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86bd1020
#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x86ba3200
#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86bc4250
#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x86b5c150
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dec8
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86b5c2b8
#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86bd1fa8
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86bc42c8
#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86b5c1c8
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86bd1e40
Stealth Objects
-------------------
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x85c4ab70 Size: 1169
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85c4b150 Size: 2695
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x85c3fce0 Size: 111
Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x85df2448 Size: 1371
Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x86883680 Size: 2433
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85fe54a0 Size: 2912
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86883ce8 Size: 793
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x85c497d0 Size: 1459
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x86aa18a0 Size: 1888
Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86aa1a60 Size: 1440
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86aa5678 Size: 306
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85c4c3a8 Size: 3161
Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x869e4238 Size: 196
Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8629b5b8 Size: 2632
Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86a8ece0 Size: 800
Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85c40410 Size: 1789
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85c3a188 Size: 195
Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8607f418 Size: 3049
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x85c3f428 Size: 279
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85c478a8 Size: 382
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86aa03b8 Size: 3145
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86aa0340 Size: 3265
Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x85c2a8c0 Size: 455
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85c2a848 Size: 575
Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85c2a7d0 Size: 695
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85c2a758 Size: 815
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85c2a6e0 Size: 935
Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x85c2a668 Size: 1055
Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x84550d58
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x86ae7530
#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x86a79e28
#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x84af1630
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x86acef10
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x84a89fa8
#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x85bb8678
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x84a98830
#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x84a2eef0
==EOF==
I disable real time antivirus antipyware egine and I also disabled the firewall as you instructed and now the Avast engine and firewall are back on after scans.
I did everything as you told me.
Just in case I took a look at those registry keys that were locked and they are still locked. There is still no access to them. But other than looking at that I haven't done anything else to the PC except what you told me.