Here you go. It did say it detected rootkit like activity and had to reboot the system.
ComboFix 10-07-03.06 - Mitch 07/04/2010 15:42:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1540 [GMT -4:00]
Running from: c:\documents and settings\Mitch\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))
.
2010-07-02 23:19 . 2010-07-02 23:19 -------- d-----w- c:\program files\ATI
2010-07-02 22:42 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-02 22:42 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-02 22:42 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-02 22:42 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-02 22:42 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-02 22:42 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-02 22:42 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-02 22:41 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-02 22:41 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-02 22:41 . 2010-07-02 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-02 21:56 . 2010-07-02 21:59 -------- d-----w- c:\documents and settings\Mitch\Local Settings\Application Data\Runscanner.net
2010-07-02 21:43 . 2010-07-04 19:40 -------- d-----w- c:\windows\system32\NtmsData
2010-07-02 21:32 . 2010-07-04 19:42 -------- d-----w- c:\windows\system32\CatRoot2
2010-07-02 20:51 . 2010-07-02 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-25 00:42 . 2010-06-25 00:42 -------- d-----w- c:\program files\Sophos
2010-06-24 22:45 . 2010-06-24 22:45 -------- d-----w- c:\program files\Seagate
2010-06-24 22:43 . 2010-06-24 22:46 -------- d-----w- c:\windows\SxsCaPendDel
2010-06-24 22:42 . 2010-06-24 22:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-24 22:40 . 2010-06-24 22:41 592 ----a-w- c:\windows\chgkey.vbs
2010-06-24 22:29 . 2010-06-24 22:29 -------- d-----w- c:\documents and settings\Mitch\Application Data\Malwarebytes
2010-06-24 22:28 . 2010-06-24 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-24 22:28 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-24 22:28 . 2010-06-24 22:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 22:28 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-24 22:21 . 2010-07-02 23:04 -------- d-----w- c:\documents and settings\Mitch\Application Data\QuickScan
2010-06-24 21:28 . 2010-07-03 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-24 21:28 . 2010-06-24 21:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-23 13:15 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-06-23 13:15 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-06-19 11:21 . 2010-06-19 11:21 -------- d-----w- c:\documents and settings\Mitch\Application Data\ArcSoft
2010-06-10 18:37 . 2010-06-10 18:37 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-06-10 18:37 . 2008-09-23 01:18 1076 ----a-w- c:\documents and settings\HelpAssistant\XP.reg
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 22:41 . 2008-09-22 23:25 -------- d-----w- c:\program files\Alwil Software
2010-07-02 21:51 . 2008-09-22 22:19 42944 ----a-w- c:\documents and settings\Mitch\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-01 01:23 . 2008-10-25 17:22 -------- d-----w- c:\program files\Lx_cats
2010-06-23 16:29 . 2009-07-29 02:02 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2010-06-23 16:18 . 2009-07-29 01:59 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2010-05-27 11:01 . 2010-05-27 11:01 61440 ----a-w- c:\documents and settings\Mitch\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4dc00619-n\decora-sse.dll
2010-05-27 11:01 . 2010-05-27 11:01 503808 ----a-w- c:\documents and settings\Mitch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-19ddcafc-n\msvcp71.dll
2010-05-27 11:01 . 2010-05-27 11:01 499712 ----a-w- c:\documents and settings\Mitch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-19ddcafc-n\jmc.dll
2010-05-27 11:01 . 2010-05-27 11:01 348160 ----a-w- c:\documents and settings\Mitch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-19ddcafc-n\msvcr71.dll
2010-05-27 11:01 . 2010-05-27 11:01 12800 ----a-w- c:\documents and settings\Mitch\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4dc00619-n\decora-d3d.dll
2010-05-14 17:23 . 2010-02-03 22:07 -------- d-----w- c:\program files\Google
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-12 21:29 . 2010-05-05 11:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 16860672]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
"Lexmark 5200 series"="c:\program files\Lexmark 5200 series\lxbtbmgr.exe" [2004-03-25 57344]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2004-03-23 294912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"LXBTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 65536]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7018:TCP"= 7018:TCP:Services
"7019:TCP"= 7019:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"5957:TCP"= 5957:TCP:Services
"5958:TCP"= 5958:TCP:Services
"7414:TCP"= 7414:TCP:Services
"4457:TCP"= 4457:TCP:Services
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/2/2010 6:42 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/2/2010 6:42 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 6:07 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
2010-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 22:07]
2010-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 22:07]
2010-06-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-06-01 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mitch\Application Data\Mozilla\Firefox\Profiles\hz8m92p6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.com
FF - plugin: c:\documents and settings\Mitch\Local Settings\Application Data\Yahoo!\BrowserPlus\2.8.1\Plugins\npybrowserplus_2.8.1.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-07-04 15:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8824378A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> ntkrnlpa.exe @ 0x80586e11
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> 0x882a9b60
PacketIndicateHandler -> NDIS.sys @ 0xb9e2aa21
SendHandler -> NDIS.sys @ 0xb9e0887b
copy of MBR has been found in sector 0x01D1C06C0
malicious code @ sector 0x01D1C06C3 !
PE file found in sector at 0x01D1C06D9 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
"LastWPAEventLogged"=hex:d5,07,05,00,06,00,07,00,0f,00,38,00,24,00,fd,02
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(6744)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Lexmark 5200 series\lxbtbmon.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-04 15:51:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-04 19:51
Pre-Run: 237,775,470,592 bytes free
Post-Run: 237,654,577,152 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
- - End Of File - - 9463A8EBF631717080E97BB8B8CBA124