Thanks very much for helping! I followed your directions and here are the results:
ComboFix log follows:ComboFix 09-02-10.03 - Eric 2009-02-11 7:39:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.742 [GMT -6:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security 2007 *On-access scanning disabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\_004841_.tmp.dll
c:\windows\system32\_004842_.tmp.dll
c:\windows\system32\_004843_.tmp.dll
c:\windows\system32\_004844_.tmp.dll
c:\windows\system32\_004851_.tmp.dll
c:\windows\system32\_004852_.tmp.dll
c:\windows\system32\_004853_.tmp.dll
c:\windows\system32\_004854_.tmp.dll
c:\windows\system32\_004855_.tmp.dll
c:\windows\system32\_004856_.tmp.dll
c:\windows\system32\_004857_.tmp.dll
c:\windows\system32\_004858_.tmp.dll
c:\windows\system32\_004859_.tmp.dll
c:\windows\system32\_004860_.tmp.dll
c:\windows\system32\_004861_.tmp.dll
c:\windows\system32\_004862_.tmp.dll
c:\windows\system32\_004863_.tmp.dll
c:\windows\system32\_004864_.tmp.dll
c:\windows\system32\_004866_.tmp.dll
c:\windows\system32\_004867_.tmp.dll
c:\windows\system32\_004868_.tmp.dll
c:\windows\system32\_004869_.tmp.dll
c:\windows\system32\_004870_.tmp.dll
c:\windows\system32\_004872_.tmp.dll
c:\windows\system32\_004873_.tmp.dll
c:\windows\system32\_004874_.tmp.dll
c:\windows\system32\_004875_.tmp.dll
c:\windows\system32\_004877_.tmp.dll
c:\windows\system32\_004879_.tmp.dll
c:\windows\system32\_004880_.tmp.dll
c:\windows\system32\_004881_.tmp.dll
c:\windows\system32\_004882_.tmp.dll
c:\windows\system32\_004883_.tmp.dll
c:\windows\system32\_004884_.tmp.dll
c:\windows\system32\_004885_.tmp.dll
c:\windows\system32\_004886_.tmp.dll
c:\windows\system32\_004887_.tmp.dll
c:\windows\system32\_004888_.tmp.dll
c:\windows\system32\_004889_.tmp.dll
c:\windows\system32\_004890_.tmp.dll
c:\windows\system32\_004891_.tmp.dll
c:\windows\system32\_004892_.tmp.dll
c:\windows\system32\_004894_.tmp.dll
c:\windows\system32\_004895_.tmp.dll
c:\windows\system32\_004897_.tmp.dll
c:\windows\system32\_004899_.tmp.dll
c:\windows\system32\_004900_.tmp.dll
c:\windows\system32\_004901_.tmp.dll
c:\windows\system32\_004902_.tmp.dll
c:\windows\system32\_004904_.tmp.dll
c:\windows\system32\_004905_.tmp.dll
c:\windows\system32\_004906_.tmp.dll
c:\windows\system32\_004908_.tmp.dll
c:\windows\system32\_004909_.tmp.dll
c:\windows\system32\_004910_.tmp.dll
c:\windows\system32\_004911_.tmp.dll
c:\windows\system32\_004912_.tmp.dll
c:\windows\system32\_004913_.tmp.dll
c:\windows\system32\_004915_.tmp.dll
c:\windows\system32\_004916_.tmp.dll
c:\windows\system32\_004917_.tmp.dll
c:\windows\system32\_004918_.tmp.dll
c:\windows\system32\_004919_.tmp.dll
c:\windows\system32\_004921_.tmp.dll
c:\windows\system32\_004922_.tmp.dll
c:\windows\system32\_004924_.tmp.dll
c:\windows\system32\_004925_.tmp.dll
c:\windows\system32\_004926_.tmp.dll
c:\windows\system32\_004927_.tmp.dll
c:\windows\system32\_004928_.tmp.dll
c:\windows\system32\_004929_.tmp.dll
c:\windows\system32\_004930_.tmp.dll
c:\windows\system32\_004931_.tmp.dll
c:\windows\system32\_004932_.tmp.dll
c:\windows\system32\_004933_.tmp.dll
c:\windows\system32\_004934_.tmp.dll
c:\windows\system32\_004937_.tmp.dll
c:\windows\system32\_004939_.tmp.dll
c:\windows\system32\_004941_.tmp.dll
c:\windows\system32\_004942_.tmp.dll
c:\windows\system32\_004943_.tmp.dll
c:\windows\system32\_004946_.tmp.dll
c:\windows\system32\_004947_.tmp.dll
c:\windows\system32\_004952_.tmp.dll
c:\windows\system32\_004954_.tmp.dll
c:\windows\system32\_004957_.tmp.dll
c:\windows\system32\_004961_.tmp.dll
c:\windows\system32\_004962_.tmp.dll
c:\windows\system32\_004966_.tmp.dll
c:\windows\system32\_004967_.tmp.dll
c:\windows\system32\_004968_.tmp.dll
c:\windows\system32\_004969_.tmp.dll
c:\windows\system32\_004974_.tmp.dll
c:\windows\system32\_004976_.tmp.dll
c:\windows\system32\twain32
c:\windows\system32\twain32\local.ds
c:\windows\system32\twain32\user.ds
c:\windows\system32\UAChlapuakg.log
c:\windows\system32\UACinit.dll
c:\windows\system32\UACqaqbjwap.dll
c:\windows\system32\UACtoqbppqp.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.
2009-02-10 19:47 . 2009-02-10 19:47 <DIR> d-------- c:\program files\ERUNT
2009-02-09 22:22 . 2009-02-09 22:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-09 22:22 . 2009-02-09 23:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-09 22:02 . 2009-02-09 22:17 <DIR> d-------- C:\RootkitNO
2009-02-09 21:00 . 2009-02-09 21:00 (2) -rahs-ot- c:\windows\winstart.bat
2009-02-09 20:58 . 2009-02-09 21:00 <DIR> d-------- c:\program files\UnHackMe
2009-02-09 20:58 . 2008-12-22 15:56 12,752 --a------ c:\windows\system32\drivers\UnHackMeDrv.sys
2009-02-09 18:47 . 2009-02-09 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-09 07:09 . 2009-02-09 07:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-08 20:36 . 2009-02-08 20:36 <DIR> d-------- c:\documents and settings\Eric\Application Data\Malwarebytes
2009-02-08 20:18 . 2009-02-08 20:29 <DIR> d-------- c:\program files\MBAM
2009-02-08 20:18 . 2009-02-08 20:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-08 20:18 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-08 20:18 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-08 20:06 . 2009-02-08 20:25 <DIR> d-------- c:\program files\SAS
2009-02-08 20:06 . 2009-02-08 20:06 <DIR> d-------- c:\documents and settings\Eric\Application Data\SUPERAntiSpyware.com
2009-02-08 15:33 . 2009-02-08 15:33 <DIR> d-------- c:\windows\system32\syncdb
2009-02-08 15:26 . 2000-03-09 14:55 610,304 --a------ c:\windows\uninstall-temp.exe
2009-01-31 11:51 . 2009-01-31 11:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\espionServerData
2009-01-31 11:38 . 2009-01-31 11:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-31 10:28 . 2009-01-31 10:43 <DIR> d-------- c:\documents and settings\Eric\Application Data\Download Manager
2009-01-18 23:17 . 2009-01-18 23:17 51 --a------ c:\windows\pccillin.ini
2009-01-11 17:10 . 2009-01-11 17:10 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-11 17:01 . 2009-01-11 17:01 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-11 16:55 . 2009-01-13 17:34 <DIR> d-------- c:\program files\McAfee
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 01:50 --------- d-----w c:\program files\Trend Micro
2009-02-09 02:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-09 02:05 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-09 01:58 --------- d-----w c:\program files\SpywareBlaster
2009-02-09 01:47 --------- d-----w c:\program files\Common Files\Adobe
2009-02-08 21:30 --------- d-----w c:\program files\Java
2009-02-08 21:28 --------- d-----w c:\program files\TaxCut05
2009-02-08 21:27 --------- d-----w c:\program files\Webshots
2009-02-08 21:24 --------- d-----w c:\program files\TaxCut04
2009-02-08 21:22 --------- d-----w c:\program files\Trillian
2009-02-08 05:46 --------- d-----w c:\program files\Finale 2007
2009-02-05 01:48 --------- d-----w c:\program files\bible
2009-01-24 17:07 --------- d-----w c:\program files\Paint Shop Pro 7
2009-01-13 01:20 --------- d-----w c:\program files\NET Bible First Edition
2009-01-11 23:06 --------- d-----w c:\documents and settings\Eric\Application Data\SiteAdvisor
2009-01-11 23:01 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-20 18:11 30,662 ----a-w c:\windows\system32\drivers\Mmc_2k.sys
2008-12-20 18:11 25,930 -c--a-w c:\windows\system32\drivers\Dvd_2k.sys
2008-12-20 18:11 241,280 ----a-w c:\windows\system32\drivers\cdudf_xp.sys
2008-12-20 18:11 206,464 ----a-w c:\windows\system32\drivers\udfreadr_xp.sys
2008-12-20 18:11 144,250 ----a-w c:\windows\system32\drivers\pwd_2K.sys
2008-12-20 18:11 --------- d-----w c:\program files\Roxio
2008-12-20 18:11 --------- d-----w c:\program files\Common Files\Adaptec Shared
2008-12-20 18:10 57,344 -c--a-w c:\windows\uneng.exe
2008-12-20 04:01 --------- d-----w c:\documents and settings\Eric\Application Data\DNA
2008-12-19 04:06 --------- d-----w c:\program files\Themes
2008-12-19 04:06 --------- d-----w c:\program files\SaucerAttack2
2008-12-19 04:06 --------- d-----w c:\program files\DOP
2008-12-19 04:06 --------- d-----w c:\program files\Centarsia
2008-12-19 04:06 --------- d-----w c:\program files\AOD
2008-12-19 04:06 --------- d-----w c:\program files\AIM
2008-12-19 03:11 --------- d-----w c:\program files\Ashampoo
2008-12-19 02:30 --------- d-----w c:\documents and settings\Eric\Application Data\Uniblue
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-01-27 17:22 218,384 -c--a-w c:\documents and settings\Eric\Application Data\GDIPFONTCACHEV1.DAT
2008-09-17 17:23 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-08-19 23:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"OE"="c:\program files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 315392]
"Google Update"="c:\documents and settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-12 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-01-27 45056]
"CTDVDDET"="c:\program files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="c:\program files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2003-03-07 209800]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-17 30192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-25 3112960]
"BootSkin Startup Jobs"="c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-02-10 4501504]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-22 185896]
"CTFeatureModeUtility"="c:\program files\Creative\Feature Mode Utility\CTModUtl.exe" [2005-01-10 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}"="c:\program files\Mediafour\XPlay 3\XPlay.exe" [2008-11-18 293888]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-12-20 684032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"nwiz"="nwiz.exe" [2003-02-10 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KeyScrambler"="c:\program files\KeyScrambler\getting_started.html" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SAS\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SAS\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\
0Partizan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"=c:\program files\SAS\SUPERAntiSpyware.exe
"UnHackMe Monitor"=c:\program files\UnHackMe\hackmon.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2008-10-24 293632]
R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [2008-12-02 136744]
R1 SASDIFSV;SASDIFSV;c:\program files\SAS\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SAS\SASKUTIL.SYS [2009-01-15 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-11 206096]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-08-16 36368]
R3 Ich;Ich;c:\windows\system32\drivers\Ich.sys [2005-03-11 65916]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-04-09 113896]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-08-24 281600]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~2\Tmntsrv.exe [2006-08-25 503808]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2006-08-24 933949]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~2\tmproxy.exe [2006-08-24 561220]
S3 ALABULKO;OLYMPUS USB Media Adapter device driver;c:\windows\system32\drivers\ALABLK2O.SYS [2005-11-21 36862]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-05-31 16512]
S3 CTMSFSYN;Creative SoundFont Synth;c:\windows\system32\drivers\CTMSFSYN.SYS [2005-01-31 159104]
S3 GoogleDesktopManager-090808-172447;Google Desktop Manager 5.8.809.8522;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2005-09-28 30192]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 SASENUM;SASENUM;c:\program files\SAS\SASENUM.SYS [2009-01-15 7408]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2007-07-07 16896]
S3 TBU11;Turtle Beach USB MIDI 1x1 Driver;c:\windows\system32\drivers\tbu11.sys [2005-04-27 13824]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6329284-6efa-11dd-9483-000c41c4b4b5}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-02-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1957994488-839522115-1005.job
- c:\documents and settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-12 09:28]
.
- - - - ORPHANS REMOVED - - - -
ShellIconOverlayIdentifiers-MacDrive Volume Icons - (no file)
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://pccreg.antivirus.com/11/PCC/110/PccReg/wcoRegister.asp?SN=PGEP-9995-4780-3309-0255&GUID=040606030605070707030700030236&VID=&PID=CIB0
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\ntp4qhyp.default\
FF - prefs.js: browser.startup.homepage - hxxp://127.0.0.1:4664/&s=fpv1AKu7jux0FvVz70rm321MmKY&q=
FF - component: c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\ntp4qhyp.default\extensions\
[email protected]\components\KeyScramblerIE.dll
FF - component: c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\ntp4qhyp.default\extensions\
[email protected]\components\coolirisstub.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Eric\Application Data\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npietab.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - true
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-02-11 07:49:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-842925246-1957994488-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*#*3*`%\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1160)
c:\program files\SAS\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-02-11 7:59:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-11 13:59:37
Pre-Run: 6,216,396,800 bytes free
Post-Run: 6,092,242,944 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
358 --- E O F --- 2009-01-14 23:14:52
HJT log follows:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:14 PM, on 2/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\Feature Mode Utility\CTModUtl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mediafour\XPlay 3\XPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\21b9c2f7b1db683e3d83bfb825d32092\update\update.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccmain.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Documents and Settings\Eric\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\Documents and Settings\Eric\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://pccreg.antivi...c...D=&PID=CIB0R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTFeatureModeUtility] C:\Program Files\Creative\Feature Mode Utility\CTModUtl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}] "C:\Program Files\Mediafour\XPlay 3\XPlay.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) -
http://pccheckup.del...ll/gtdownde.cabO18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SAS\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: Google Desktop Manager 5.8.809.8522 (GoogleDesktopManager-090808-172447) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
--
End of file - 11138 bytes