Here is the first log :
ComboFix 12-04-09.07 - admin-su 11/04/2012 9:54.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.176 [GMT 10:00]
Running from: c:\documents and settings\admin-su\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin-su\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\WindowsUpdate.log . . . . Failed to delete
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\ksuser.dll --> c:\windows\System32\ksuser.dll
.
((((((((((((((((((((((((( Files Created from 2012-03-11 to 2012-04-11 )))))))))))))))))))))))))))))))
.
.
2012-04-10 23:54 . 2008-04-13 19:41 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2012-04-10 23:54 . 2008-04-13 19:41 4096 ----a-w- c:\windows\system32\ksuser.dll
2012-04-10 07:23 . 2012-04-10 07:23 -------- d-----w- C:\_OTL
2012-04-06 04:46 . 2012-04-06 04:53 -------- d-----w- c:\documents and settings\serf.SERVER
2012-04-06 03:37 . 2012-04-06 03:37 -------- d-----w- c:\program files\SumatraPDF
2012-04-05 22:27 . 2012-04-06 03:37 -------- d-----w- c:\windows\system32\NtmsData
2012-04-05 14:28 . 2012-04-05 04:59 -------- d-----w- c:\windows\tmp
2012-04-05 04:40 . 2012-04-05 04:40 -------- d-----w- c:\documents and settings\Administrator
2012-03-28 20:45 . 2012-03-28 20:45 -------- d-----w- c:\documents and settings\serf\Local Settings\Application Data\Help
2012-03-28 20:38 . 2012-04-06 03:36 -------- d-----w- c:\program files\Support Tools
2012-03-25 07:36 . 2012-03-25 07:36 -------- d-----w- c:\documents and settings\serf\Application Data\SumatraPDF
2012-03-25 05:44 . 2012-03-25 05:44 -------- d-----w- c:\documents and settings\admin-su\Application Data\SumatraPDF
2012-03-16 07:06 . 2012-03-16 07:55 -------- d-----w- c:\documents and settings\serf\Local Settings\Application Data\Google
2012-03-16 06:59 . 2012-03-16 06:59 -------- d-sh--w- c:\documents and settings\serf\PrivacIE
2012-03-14 21:30 . 2012-03-14 21:30 -------- d-----w- c:\documents and settings\serf\Application Data\Avira
2012-03-12 21:26 . 2012-03-12 21:27 -------- d-----w- c:\windows\ie8updates
2012-03-12 21:25 . 2011-12-17 19:46 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-03-12 21:25 . 2011-12-17 19:46 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-03-12 21:25 . 2011-12-17 19:46 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-03-12 21:25 . 2011-12-17 19:46 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-03-12 21:25 . 2011-12-17 19:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-03-12 21:25 . 2011-12-17 19:46 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-10 05:11 . 2012-03-10 02:55 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-02-03 09:22 . 2003-03-31 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mobile Partner"="c:\program files\3 MobileBroadband\3 MobileBroadband.exe" [2012-03-10 110592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-05 258512]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-17 1043968]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
.
R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [13/02/2003 1:10 AM 61408]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/03/2012 12:55 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/03/2012 12:55 PM 86224]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1004Core.job
- c:\documents and settings\admin-su\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 09:30]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1004UA.job
- c:\documents and settings\admin-su\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 09:30]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1005Core.job
- c:\documents and settings\serf\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-16 07:06]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1005UA.job
- c:\documents and settings\serf\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-16 07:06]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2012-04-11 10:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-04-11 10:08:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-11 00:08
ComboFix2.txt 2012-04-10 08:01
.
Pre-Run: 56,711,553,024 bytes free
Post-Run: 56,678,334,464 bytes free
.
- - End Of File - - 83CE88315D83E726D43554BB4E410468