Forgot to mention - it was either yesterday or day before yesterday (before I was able to run combofix etc) - AVG detected something called Win32/Patched.DX. Not sure whether that is of any relevance or not.
Latest log:
ComboFix 10-09-07.03 - Compaq_Administrator 08/09/2010 19:25:09.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1504 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\alice.exe
Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
.
2010-09-08 15:56 . 2010-09-08 15:57 -------- d-----w- C:\alice1726a
2010-09-07 22:13 . 2010-09-07 22:52 -------- d-----w- C:\alice24893a
2010-09-07 18:17 . 2010-09-07 18:30 -------- d-----w- C:\alice30290a
2010-09-07 18:13 . 2010-09-07 18:15 -------- d-----w- C:\alice7446a
2010-09-06 22:01 . 2010-09-06 22:15 -------- d-----w- C:\alice
2010-09-03 08:46 . 2010-09-03 08:46 -------- d-----w- c:\program files\ESET
2010-09-01 20:18 . 2010-09-01 20:18 -------- d-----w- c:\program files\Trend Micro
2010-09-01 07:02 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 07:02 . 2010-09-02 21:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-01 07:02 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 19:47 . 2010-08-31 19:47 503808 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13cb64ad-n\msvcp71.dll
2010-08-31 19:47 . 2010-08-31 19:47 499712 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13cb64ad-n\jmc.dll
2010-08-31 19:47 . 2010-08-31 19:47 348160 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13cb64ad-n\msvcr71.dll
2010-08-31 19:47 . 2010-08-31 19:47 61440 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4395f031-n\decora-sse.dll
2010-08-31 19:47 . 2010-08-31 19:47 12800 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4395f031-n\decora-d3d.dll
2010-08-31 19:47 . 2010-08-31 19:47 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-31 19:47 . 2010-08-31 19:47 -------- d-----w- c:\program files\Java
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-08 07:38 . 2009-02-01 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-04 17:14 . 2010-04-27 22:47 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Skype
2010-09-04 17:14 . 2009-08-25 20:11 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\skypePM
2010-08-31 19:47 . 2006-09-08 01:19 -------- d-----w- c:\program files\Common Files\Java
2010-07-15 22:48 . 2010-07-15 22:48 143120 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-15 16:45 . 2010-07-15 16:43 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\GARMIN
2010-07-07 08:13 . 2006-11-21 20:26 61448 ----a-w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-30 12:31 . 2004-08-09 21:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2004-08-09 21:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2009-07-10 22:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-09 21:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-09 21:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 11:15 . 2010-05-06 12:55 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-22 11:15 . 2010-06-22 11:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-22 11:15 . 2010-05-06 12:55 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-06-22 11:15 . 2010-05-06 12:55 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-21 15:27 . 2004-08-09 21:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-09 21:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-09 21:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-09 21:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2006-12-19 10:50 . 2006-12-19 10:50 22 -csha-w- c:\windows\SMINST\HPCD.sys
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\alice ----
2010-09-06 22:07 . 2010-09-06 22:07 533 ----a-w- c:\alice\mbr.txt
2010-09-06 22:01 . 2010-09-06 22:01 389120 ----a-r- c:\alice\CF9485.cfxxe
2010-09-06 22:01 . 2009-10-25 05:11 77312 ----a-r- c:\alice\mbr.cfxxe
((((((((((((((((((((((((((((( SnapShot@2010-09-07_18.29.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-08 18:15 . 2010-09-08 18:15 16384 c:\windows\temp\Perflib_Perfdata_9f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-20 7622656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-22 11:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-12-20 06:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [06/05/2010 13:55 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [06/05/2010 13:55 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [06/05/2010 13:55 216400]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [06/05/2010 13:55 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 08:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 08:56 74480]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [22/06/2010 12:15 308136]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [22/06/2010 12:15 2331032]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [28/10/2008 16:42 156968]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [06/05/2010 13:54 30104]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/12/2009 22:51 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [06/05/2010 13:54 30104]
S3 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [22/06/2010 12:15 5897808]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [06/05/2010 13:55 122448]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [06/05/2010 13:55 30288]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [06/05/2010 13:55 26192]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 08:56 7408]
.
Contents of the 'Scheduled Tasks' folder
2007-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 14:21]
2010-09-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-01 17:57]
2010-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:50]
2010-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {3D0D2821-8011-4B1F-BE9C-27B8E74CFBEF} - hxxp://downloads.virginmedia.com/CST/ver1/VM_ActX_2.cab
DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://www.playfirst.com/play/game/dinerdash/DinerDash.1.0.0.93.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-09-08 19:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(988)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-08 19:30:37
ComboFix-quarantined-files.txt 2010-09-08 18:30
ComboFix2.txt 2010-09-08 16:09
ComboFix3.txt 2010-09-07 18:30
ComboFix4.txt 2010-09-06 22:08
Pre-Run: 194,692,345,856 bytes free
Post-Run: 194,718,879,744 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
- - End Of File - - BE2BC8DCB9F33C57B4001253E9E88AB6