OK,
I did what was requested and here is the combofix file.
ComboFix 10-11-14.01 - Rudy 11/14/2010 16:35:37.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1243 [GMT -6:00]
Running from: c:\documents and settings\Rudy\desktop\commy.exe
Command switches used :: /stepdel
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\arp.exe
.
((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 )))))))))))))))))))))))))))))))
.
2010-11-13 22:53 . 2010-10-18 14:41 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-13 22:52 . 2010-10-18 14:41 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8A57CA1B-6867-4854-B1D9-C191F7A022F9}\mpengine.dll
2010-11-13 16:35 . 2010-11-13 16:35 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-11-13 16:35 . 2010-11-13 16:35 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-11 14:46 . 2010-11-11 14:46 -------- d-----w- c:\documents and settings\Rudy\Local Settings\Application Data\PCHealth
2010-11-11 14:46 . 2010-11-11 14:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-11-11 14:45 . 2010-11-11 14:46 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-06 19:13 . 2010-11-06 19:13 388096 ----a-r- c:\documents and settings\Rudy\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-06 19:13 . 2010-11-06 19:13 -------- d-----w- c:\program files\Trend Micro
2010-11-05 19:37 . 2010-11-05 19:37 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-11-05 19:35 . 2010-11-05 19:35 -------- d-----w- c:\windows\ERUNT
2010-11-05 01:59 . 2010-11-05 01:59 -------- d-----w- c:\program files\Resource Kit
2010-11-03 20:03 . 2010-11-03 20:03 -------- d--h--w- c:\windows\PIF
2010-11-02 19:59 . 2010-11-02 19:59 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2010-11-02 19:13 . 2010-11-03 19:51 -------- d-----w- C:\ERDNT
2010-11-01 17:14 . 2010-11-01 17:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-30 22:09 . 2010-10-30 22:09 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-29 23:17 . 2010-11-03 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-13 16:35 . 2009-03-31 21:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 23:52 . 2010-08-12 02:32 524252 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-10-19 16:41 . 2010-01-02 21:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 17:23 . 2004-08-10 18:51 974848 ---ha-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 18:51 974848 ---ha-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 18:51 954368 ---ha-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 18:51 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16 . 2004-08-10 18:51 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16 . 2004-08-10 18:51 61952 ---ha-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16 . 2009-08-28 15:27 81920 ---ha-w- c:\windows\system32\ieencode.dll
2010-09-08 16:49 . 2004-08-10 18:51 369664 ---ha-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2004-08-10 18:50 285824 ---ha-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-10 18:51 1852800 ---ha-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-10 18:51 119808 ---ha-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-10 18:51 99840 ---ha-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-10 18:51 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-07-25 14:44 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-10 18:50 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-10 18:51 58880 ----a-w- c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-01-29 1095872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"DisableMyPicturesDirChange"= 0 (0x0)
"DisableMyMusicDirChange"= 0 (0x0)
"DisableFavoritesDirChange"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PiggyBob™.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Rudy^Start Menu^Programs^Startup^Seagate 2GHL5EN4 Product Registration.lnk]
path=c:\documents and settings\Rudy\Start Menu\Programs\Startup\Seagate 2GHL5EN4 Product Registration.lnk
backup=c:\windows\pss\Seagate 2GHL5EN4 Product Registration.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBoostrCP]
2009-11-12 18:28 1587840 ----a-w- c:\program files\eBoostr\eBoostrCP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 03:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemBoosterXP]
2006-03-21 17:57 577536 ------w- c:\program files\DiskTrix\SystemBooster2\SystemBooster.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R0 eBoost;eBoostr caching filter driver;c:\windows\system32\drivers\eBoost.sys [11/12/2009 12:28 PM 144984]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R1 TSKNF900.SYS;TSKNF900.SYS;c:\windows\system32\drivers\Tsknf900.sys [10/26/2009 10:43 AM 17672]
R2 EBOOSTRSVC;eBoostr Service;c:\program files\eBoostr\EBstrSvc.exe [11/12/2009 12:28 PM 645248]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 12:15 PM 12872]
--- Other Services/Drivers In Memory ---
*Deregistered* - IPVNMon
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-10-18 c:\windows\Tasks\DefragExpress.job
- c:\program files\DiskTrix\DefragExpress\DefragExpress.exe [2009-03-29 14:40]
2010-11-14 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-07-11 16:14]
2010-11-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydial/*http://www.yahoo.com/search/ie.html
mWindow Title = Microsoft Internet Explorer
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com
IE: E&xport to Microsoft Excel
IE: Yahoo! Dictionary
IE: Yahoo! Search
FF - ProfilePath - c:\documents and settings\Rudy\Application Data\Mozilla\Firefox\Profiles\18f9hcsv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-UBCD4Win_is1 - c:\ubcd4win\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-11-14 16:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_ContactOnline]
@DACL=(02 0000)
@SACL=
[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_ContactOnline\.Default]
@DACL=(02 0000)
@=""
[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewAlert]
@DACL=(02 0000)
@SACL=
[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewAlert\.Default]
@DACL=(02 0000)
@=""
[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMail]
@DACL=(02 0000)
@SACL=
[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMail\.Default]
@DACL=(02 0000)
@=""
[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMessage]
@DACL=(02 0000)
@SACL=
[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMessage\.Default]
@DACL=(02 0000)
@=""
[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\DB2]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\DBASE]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\FOXPRO]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\INFORMIX]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\INTRBASE]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\MSACCESS]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\MSSQL]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\ORACLE]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\PARADOX]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\SYBASE]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\SYSTEM\FORMATS]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\SYSTEM\INIT]
@DACL=(02 0000)
"VERSION"="4.0"
"LOCAL SHARE"="FALSE"
"MINBUFSIZE"="128"
"MAXBUFSIZE"="2048"
"LANGDRIVER"="DBWINUS0"
"MAXFILEHANDLES"="128"
"SYSFLAGS"="0"
"LOW MEMORY USAGE LIMIT"="32"
"AUTO ODBC"="FALSE"
"DEFAULT DRIVER"="PARADOX"
"SQLQRYMODE"=""
"MEMSIZE"="16"
"SHAREDMEMSIZE"="8192"
"SHAREDMEMLOCATION"=""
"DATA REPOSITORY"=""
"MTS POOLING"="FALSE"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(376)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-11-14 16:43:18
ComboFix-quarantined-files.txt 2010-11-14 22:43
ComboFix2.txt 2010-11-13 00:53
Pre-Run: 8,281,456,640 bytes free
Post-Run: 8,266,915,840 bytes free
- - End Of File - - 76F312E577625C00229986A33FF2901B