I have not changed my user name and I'm still trying to post my ComboFix log. For some reason the site is telling me that I am trying to duplicate a post, so I'm going to wait 5 minutes and try to repost the CF log.
ComboFix 10-12-11.01 - Owner 12/11/2010 12:21:29.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.298 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Application Data\completescan
c:\documents and settings\Owner\Application Data\install
c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
c:\program files\AV7
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\fonts
c:\windows\system32\fonts\ACADEMY_.PFB
c:\windows\system32\fonts\ACADEMY_.PFM
c:\windows\system32\fonts\ACADEMY_.TTF
c:\windows\system32\ps2.bat
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
.
2010-12-11 17:39 . 2010-12-11 17:39 -------- d-----w- C:\_OTM
2010-12-11 04:25 . 2010-12-11 09:27 150016 ----a-w- c:\documents and settings\LocalService\Application Data\wert3.exe
2010-12-11 03:15 . 2010-12-11 03:15 -------- d-----w- c:\program files\ESET
2010-12-10 16:42 . 2010-12-10 16:42 76696 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-12-10 16:42 . 2010-12-10 16:42 -------- d-----w- c:\program files\Prevx
2010-12-10 16:41 . 2010-12-10 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-12-09 17:36 . 2010-12-09 17:36 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10
2010-12-09 17:29 . 2010-12-09 17:29 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-12-09 17:24 . 2010-12-11 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-12-09 04:56 . 2010-12-09 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-11-18 15:12 . 2010-11-18 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-18 15:11 . 2010-12-09 23:30 -------- d-----w- c:\program files\SUPERAntiSpyware
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 23:42 . 2009-05-19 23:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2009-05-19 23:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 17:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
.
------- Sigcheck -------
[7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2002-10-29 21:34 . 2001-07-07 05:56 61440 c:\hp\KBD\bak\KBD.EXE
2002-10-29 21:41 . 2005-05-05 20:02 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
2003-11-10 13:30 . 2004-12-22 22:45 71280 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2002-10-29 21:55 . 2002-02-21 03:40 143360 c:\program files\COMPAQ\Coloreal\bak\coloreal.exe
2004-08-16 19:01 . 2003-11-24 22:46 74696 c:\program files\Norton AntiVirus\AdvTools\bak\ADVCHK.EXE
2006-10-19 19:19 . 2006-10-19 19:19 282624 c:\program files\QuickTime\bak\qttask.exe
2009-01-05 21:18 . 2009-01-05 21:18 413696 c:\program files\QuickTime\QTTask.exe
2004-10-05 23:02 . 2004-10-05 23:02 1051648 c:\program files\Spyware Killer Pro\SpyWare Monitor\bak\SKMonitor.exe
2002-10-29 21:16 . 1998-05-08 00:04 52736 c:\windows\system\bak\hpsysdrv.exe
2002-10-29 21:20 . 2002-09-09 15:05 114688 c:\windows\system32\bak\hkcmd.exe
2002-10-29 21:20 . 2005-10-19 13:59 126976 c:\windows\system32\hkcmd.exe
2002-10-29 21:20 . 2002-09-09 15:18 155648 c:\windows\system32\bak\igfxtray.exe
2002-10-29 21:20 . 2005-10-19 13:59 155648 c:\windows\system32\igfxtray.exe
2002-10-29 21:34 . 2002-08-01 04:28 81920 c:\windows\system32\bak\ps2.exe
2009-05-19 22:39 . 2002-08-01 04:28 81920 c:\windows\system32\ps2.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-5-13 114688]
Directrec Configuration Tool.lnk - c:\program files\Olympus\DSSPlayer\DirectrecConfig.exe [2008-5-13 122880]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 03:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:31 208952 -c--a-w- c:\windows\ime\imjp8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2002-08-01 04:28 81920 ----a-w- c:\windows\system32\ps2.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\MMS\\farah\\mms.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
S3 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\msCMTSrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
Notify-avgrsstarter - avgrsstx.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-12-11 12:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.net
Windows 5.1.2600 Disk: ST3160815A rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83352555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x833587b0]; MOV EAX, [0x8335882c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x833E6030]
3 CLASSPNP[0xF884CFD7] -> nt!IofCallDriver[0x804E37D5] -> [0x833D7C60]
\Driver\atapi[0x833CDF38] -> IRP_MJ_CREATE -> 0x83352555
kernel: MBR read successfully
_asm { XOR SI, SI; MOV DI, SI; MOV SS, SI; MOV SP, 0x7a00; MOV AX, 0x7c0; MOV BX, 0x7a0; MOV CX, 0x200; MOV DS, AX; MOV ES, BX; CLD ; REP MOVSB ; MOV DS, BX; JMP FAR 0x7a0:0x5d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3160815A______________________________3.AAD___#5&38fba5ac&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8335239B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-390556010-2503923306-3750189400-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3124)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Olympus\DeviceDetector\DM1Service.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-11 12:40:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-11 18:40
Pre-Run: 148,914,925,568 bytes free
Post-Run: 148,834,017,280 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
- - End Of File - - 15F8ADA60F161D285E0B5938EE5E23CC