Finally , Here is the RePort
ComboFix 10-08-16.03 - Eduardo 08/17/2010 1:22.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2260 [GMT -4:00]
Running from: c:\documents and settings\Eduardo\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Eduardo\.exe
c:\windows\TEMP\explorer.dat
C:\winlogon.exe
c:\windows\system32\winlogon.exe . . . is infected!!
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.
2010-08-17 04:14 . 2010-08-17 04:14 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-15 14:37 . 2010-08-15 23:23 -------- d-----w- c:\windows\system32\NtmsData
2010-08-15 14:36 . 2010-08-15 14:36 -------- d-----w- c:\documents and settings\Eduardo\Application Data\Avira
2010-08-15 14:33 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-15 14:33 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-15 14:33 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-15 14:33 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-15 14:33 . 2010-08-15 14:33 -------- d-----w- c:\program files\Avira
2010-08-15 14:33 . 2010-08-15 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-15 14:27 . 2010-08-15 14:27 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 14:27 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 04:47 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-08-15 04:47 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-08-15 04:47 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-08-15 04:47 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-08-15 04:47 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 13:03 . 2009-04-20 18:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-16 03:31 . 2009-03-08 16:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-15 14:27 . 2010-08-15 14:27 503808 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36f87ce3-n\msvcp71.dll
2010-08-15 14:27 . 2010-08-15 14:27 499712 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36f87ce3-n\jmc.dll
2010-08-15 14:27 . 2010-08-15 14:27 348160 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36f87ce3-n\msvcr71.dll
2010-08-15 14:27 . 2010-08-15 14:27 61440 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6227762b-n\decora-sse.dll
2010-08-15 14:27 . 2010-08-15 14:27 12800 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6227762b-n\decora-d3d.dll
2010-08-15 14:27 . 2009-03-26 22:14 -------- d-----w- c:\program files\Java
2010-08-15 05:46 . 2009-10-26 14:17 -------- d-----w- c:\documents and settings\Eduardo\Application Data\vlc
2010-08-15 05:08 . 2009-09-16 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-14 17:12 . 2010-08-14 17:11 52224 ----a-w- c:\documents and settings\Eduardo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-14 17:12 . 2009-09-15 16:59 117760 ----a-w- c:\documents and settings\Eduardo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-12 10:04 . 2009-03-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-07 11:59 . 2010-07-09 21:04 452104 ----a-w- c:\documents and settings\Eduardo\Application Data\Real\Update\setup3.12\setup.exe
2010-08-02 23:14 . 2009-03-09 01:20 189000 ----a-w- c:\documents and settings\Eduardo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-28 16:03 . 2010-05-27 23:40 -------- d-----w- c:\program files\Facebook FriendAdder Pro
2010-07-21 12:08 . 2009-03-08 11:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 00:21 . 2010-07-10 23:55 -------- d-----w- c:\program files\Super_DVD_Creator_9.8
2010-07-02 21:03 . 2010-04-13 20:59 439816 ----a-w- c:\documents and settings\Eduardo\Application Data\Real\Update\setup3.10\setup.exe
2010-06-14 14:30 . 2009-03-08 11:12 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
.
------- Sigcheck -------
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
[-] 2004-12-02 . 91FDA1B9369FCA7100532DBF82E138B4 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2007-06-13 . 7EA18D33626880BD22CFEF224451871F . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2004-12-02 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-06-22 133576]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-12-02 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"nwiz"="nwiz.exe" [2006-10-31 1622016]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2006-01-20 163840]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-01-03 122940]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-21 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-19 198160]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2009-08-23 91432]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
c:\documents and settings\Eduardo\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
WinMySQLadmin.lnk - c:\xampp\mysql\bin\winmysqladmin.exe [2007-12-20 936448]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-2 813584]
Outlook Plugin.lnk - c:\program files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe [2010-5-17 888987]
Palo Alto Software Update Manager 9.0.lnk - c:\program files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe [2006-9-5 122880]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^Eduardo^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Eduardo\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
2007-06-22 12:45 133576 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-03-21 17:36 155648 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-04-19 21:37 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Electric Rain\\Swift 3D\\Version 5.00\\Program\\Swift3D.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\IBP 10\\IBP.exe"=
"c:\\Program Files\\Adobe\\Adobe Illustrator CS4\\Support Files\\Contents\\Windows\\Illustrator.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
"c:\\Program Files\\Smith Micro\\Poser 8\\Poser.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\winsim\\ConnectionManager\\MySqlBinary\\5.0.38\\mysql\\mysqld-nt.exe"=
"c:\\Program Files\\winsim\\ConnectionManager\\SimplyConnectionManager.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/15/2010 10:33 AM 135336]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [12/9/2008 7:10 PM 24636]
R2 OKI OPHG DCS Loader;OKI OPHG DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE [5/29/2009 10:30 PM 24576]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [8/23/2009 1:00 AM 29992]
S3 block_reader;MPR DRV;c:\documents and settings\Eduardo\Desktop\PORTABLESOFTWARE\MPR_1.1.9\Multi_Password_Recovery_1.1.9_Portable\Multi Password Recovery 1.1.9 Portable\block_reader.sys [1/10/2010 11:00 PM 1920]
S3 PD1030VID;Creative WebCam Pro;c:\windows\system32\drivers\p1030vid.sys [10/3/2009 11:31 AM 167673]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S3 Simply Accounting Transaction Manager 2010 - CDN;Simply Accounting Transaction Manager 2010 - CDN;c:\program files\winsim\TransactionManager2010 - CDN\Sage_SA.TransactionManager.exe [12/10/2009 4:00 AM 42280]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/8/2009 12:26 PM 685816]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
FF - ProfilePath - c:\documents and settings\Eduardo\Application Data\Mozilla\Firefox\Profiles\b7rhrs75.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\documents and settings\Eduardo\Application Data\Mozilla\Firefox\Profiles\b7rhrs75.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-08-17 01:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{9756-3768}]
"D-Code"="0000000000"
"U-Code"="Demo"
"S-Code"="0000000000"
"C-Code"="4353753922274815"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(752)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(6072)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\mshtml.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\xampp\mysql\bin\mysqld.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\SP-300MC.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2010-08-17 01:46:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 05:46
ComboFix2.txt 2010-08-17 01:26
ComboFix3.txt 2010-08-16 04:39
ComboFix4.txt 2010-08-15 13:57
ComboFix5.txt 2010-08-17 01:55
Pre-Run: 47,074,844,672 bytes free
Post-Run: 47,063,814,144 bytes free
- - End Of File - - 9B6B32A3D15017E8A27AE2837A7E84A3