I did this twice, the first time I couldn't connect to the internet for the 'recovery console' installation so I ran it again when the connection was regained. Hope that is ok....I am posting both logs.
Without internet connection:omboFix 09-04-04.01 - Marta 2009-04-08 21:31:59.1 -
FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.221.59 [GMT -4:00]
Running from: E:\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090407-0] *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
.
((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.
2009-04-06 19:53 . 2009-04-06 19:53 <DIR> d-------- c:\program files\Trend Micro
2009-04-01 18:59 . 2009-04-01 18:59 <DIR> d-------- c:\documents and settings\Marta\DoctorWeb
2009-03-25 21:20 . 2009-03-25 21:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-22 18:17 . 2009-03-23 21:18 3,157 ---h----- c:\windows\f5087.dat
2009-03-22 18:11 . 2009-03-22 18:11 <DIR> d-------- c:\windows\system32\887164
2009-03-22 18:11 . 2009-03-22 18:11 2 ---h----- c:\windows\t55ft2792f44.dat
2009-03-22 18:11 . 2009-03-22 18:11 1 ---h----- c:\windows\f23567.dat
2009-03-14 20:00 . 2009-03-14 20:00 <DIR> d--hs---- C:\FOUND.027
2009-03-09 20:06 . 2009-03-09 20:06 <DIR> d--hs---- C:\FOUND.026
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-17 01:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-07-29 23:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072920080730\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Update Manager"="c:\program files\Rogers\Update Manager\UpdateManager.exe" [2005-01-28 131072]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="c:\windows\System32\sistray.EXE" [2002-05-09 303104]
"SiS KHooker"="c:\windows\System32\khooker.exe" [2002-01-25 290816]
"SiSUSBRG"="c:\windows\sisUSBrg.exe" [2002-04-25 32768]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-07-25 135168]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-25 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SoundMan"="SOUNDMAN.EXE" [2002-08-14 c:\windows\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2001-12-26 c:\windows\mHotkey.exe]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-05 53317]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-09-05 65588]
NkvMon.exe.lnk - c:\program files\Nikon\NkView5\NkvMon.exe [2003-09-06 233472]
D-Link AirPlus.lnk - c:\program files\D-Link AirPlus\AirPlus.exe [2003-12-28 262144]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-21 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-21 20560]
.
Contents of the 'Scheduled Tasks' folder
2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
HKLM-Run-POINTER - point32.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nypost.com/gossip/gossip.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://webmail.ontario.ca/exchweb/controls/DAX.cab
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-04-08 21:35:30
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-04-08 21:37:48
ComboFix-quarantined-files.txt 2009-04-09 01:37:44
Pre-Run: 5,465,047,040 bytes free
Post-Run: 6,401,720,320 bytes free
99 --- E O F --- 2009-03-16 01:28:51
With internet connection:ComboFix 09-04-04.01 - Marta 2009-04-08 21:49:48.2 -
FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.221.42 [GMT -4:00]
Running from: E:\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090407-0] *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.
2009-04-08 21:45 . 2006-03-02 23:42 73,728 --a------ C:\pv.exe
2009-04-06 19:53 . 2009-04-06 19:53 <DIR> d-------- c:\program files\Trend Micro
2009-04-01 18:59 . 2009-04-01 18:59 <DIR> d-------- c:\documents and settings\Marta\DoctorWeb
2009-03-25 21:20 . 2009-03-25 21:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-22 18:17 . 2009-03-23 21:18 3,157 ---h----- c:\windows\f5087.dat
2009-03-22 18:11 . 2009-03-22 18:11 <DIR> d-------- c:\windows\system32\887164
2009-03-22 18:11 . 2009-03-22 18:11 2 ---h----- c:\windows\t55ft2792f44.dat
2009-03-22 18:11 . 2009-03-22 18:11 1 ---h----- c:\windows\f23567.dat
2009-03-14 20:00 . 2009-03-14 20:00 <DIR> d--hs---- C:\FOUND.027
2009-03-09 20:06 . 2009-03-09 20:06 <DIR> d--hs---- C:\FOUND.026
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-17 01:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-07-29 23:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072920080730\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Update Manager"="c:\program files\Rogers\Update Manager\UpdateManager.exe" [2005-01-28 131072]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="c:\windows\System32\sistray.EXE" [2002-05-09 303104]
"SiS KHooker"="c:\windows\System32\khooker.exe" [2002-01-25 290816]
"SiSUSBRG"="c:\windows\sisUSBrg.exe" [2002-04-25 32768]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-07-25 135168]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-25 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SoundMan"="SOUNDMAN.EXE" [2002-08-14 c:\windows\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2001-12-26 c:\windows\mHotkey.exe]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-05 53317]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-09-05 65588]
NkvMon.exe.lnk - c:\program files\Nikon\NkView5\NkvMon.exe [2003-09-06 233472]
D-Link AirPlus.lnk - c:\program files\D-Link AirPlus\AirPlus.exe [2003-12-28 262144]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-21 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-21 20560]
.
Contents of the 'Scheduled Tasks' folder
2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nypost.com/gossip/gossip.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://webmail.ontario.ca/exchweb/controls/DAX.cab
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-04-08 21:52:41
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-04-08 21:54:43
ComboFix-quarantined-files.txt 2009-04-09 01:54:40
ComboFix2.txt 2009-04-09 01:37:52
Pre-Run: 6,384,844,800 bytes free
Post-Run: 6,370,295,808 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
98 --- E O F --- 2009-03-16 01:28:51