This time with no script ... and it didn't need to reboot.
ComboFix 11-01-10.04 - Tim Oakley 01/10/2011 17:56:07.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.511 [GMT -7:00]
Running from: c:\documents and settings\Tim Oakley\Desktop\george.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
((((((((((((((((((((((((( Files Created from 2010-12-11 to 2011-01-11 )))))))))))))))))))))))))))))))
.
2011-01-10 05:04 . 2011-01-10 05:19 -------- d-----w- C:\george
2011-01-09 16:50 . 2011-01-09 16:50 -------- d-----w- c:\documents and settings\Tim Oakley\Application Data\QuickScan
2011-01-08 16:47 . 2011-01-08 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2011-01-08 16:47 . 2011-01-08 16:47 -------- d-----w- c:\documents and settings\Tim Oakley\Application Data\OnlineArmor
2011-01-08 16:47 . 2010-10-27 02:52 38856 ----a-w- c:\windows\system32\drivers\oahlp32.sys
2011-01-08 16:47 . 2010-10-27 02:52 25000 ----a-w- c:\windows\system32\drivers\OAmon.sys
2011-01-08 16:47 . 2010-10-27 02:52 29272 ----a-w- c:\windows\system32\drivers\OAnet.sys
2011-01-08 16:47 . 2010-10-27 02:52 202064 ----a-w- c:\windows\system32\drivers\OADriver.sys
2011-01-08 16:46 . 2011-01-11 00:26 -------- d-----w- c:\program files\Online Armor
2011-01-06 05:39 . 2011-01-11 00:25 -------- d-----w- c:\windows\system32\CatRoot2
2011-01-06 05:35 . 2011-01-06 05:35 -------- d-----w- c:\program files\UPHClean
2011-01-06 02:12 . 2008-04-14 01:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-01-06 02:12 . 2001-08-18 05:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-01-06 02:12 . 2008-04-14 01:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-01-06 02:12 . 2001-08-18 05:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-01-06 02:12 . 2001-08-18 05:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-01-06 02:12 . 2001-08-18 05:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-01-06 02:12 . 2001-08-17 19:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-01-06 02:12 . 2004-08-04 05:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-01-06 02:12 . 2004-08-04 05:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-01-06 02:10 . 2001-08-17 19:13 16925 ----a-w- c:\windows\system32\dllcache\w940nd.sys
2011-01-06 02:09 . 2004-08-04 05:31 32384 ----a-w- c:\windows\system32\dllcache\usb101et.sys
2011-01-06 02:08 . 2001-08-17 19:12 34375 ----a-w- c:\windows\system32\dllcache\tpro4.sys
2011-01-06 02:07 . 2001-08-18 05:36 94293 ----a-w- c:\windows\system32\dllcache\sxports.dll
2011-01-06 02:06 . 2001-08-17 19:51 20752 ----a-w- c:\windows\system32\dllcache\sonync.sys
2011-01-06 02:05 . 2001-08-17 21:56 157696 ----a-w- c:\windows\system32\dllcache\sisv256.dll
2011-01-06 02:04 . 2001-08-17 20:51 16640 ----a-w- c:\windows\system32\dllcache\scmstcs.sys
2011-01-06 02:03 . 2001-08-17 19:19 30720 ----a-w- c:\windows\system32\dllcache\rthwcls.sys
2011-01-06 02:02 . 2001-08-17 20:51 16128 ----a-w- c:\windows\system32\dllcache\pscr.sys
2011-01-06 02:01 . 2001-08-18 05:36 44544 ----a-w- c:\windows\system32\dllcache\ovui2.dll
2011-01-06 01:50 . 2001-08-17 19:20 87040 ----a-w- c:\windows\system32\dllcache\nm6wdm.sys
2011-01-06 01:50 . 2001-08-17 19:20 126080 ----a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2011-01-06 01:50 . 2001-08-17 19:12 32840 ----a-w- c:\windows\system32\dllcache\ngrpci.sys
2011-01-06 01:50 . 2004-08-04 05:31 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-01-06 01:50 . 2001-08-17 19:11 65278 ----a-w- c:\windows\system32\dllcache\netflx3.sys
2011-01-06 01:50 . 2001-08-17 19:50 39264 ----a-w- c:\windows\system32\dllcache\neo20xx.sys
2011-01-06 01:50 . 2001-08-18 05:36 60480 ----a-w- c:\windows\system32\dllcache\neo20xx.dll
2011-01-06 01:50 . 2001-08-17 20:49 15872 ----a-w- c:\windows\system32\dllcache\ne2000.sys
2011-01-06 01:50 . 2001-08-17 21:56 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll
2011-01-06 01:50 . 2001-08-17 19:50 27936 ----a-w- c:\windows\system32\dllcache\n9i3d.sys
2011-01-06 01:48 . 2008-04-13 19:46 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2011-01-06 01:47 . 2001-08-17 19:12 20573 ----a-w- c:\windows\system32\dllcache\lne100.sys
2011-01-06 01:46 . 2001-08-18 05:36 90200 ----a-w- c:\windows\system32\dllcache\io8ports.dll
2011-01-06 01:45 . 2006-03-15 10:00 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2011-01-06 01:44 . 2001-08-18 05:36 83968 ----a-w- c:\windows\system32\dllcache\hpgt21.dll
2011-01-06 01:43 . 2001-08-17 19:12 16074 ----a-w- c:\windows\system32\dllcache\fa312nd5.sys
2011-01-06 01:42 . 2001-08-17 19:11 69194 ----a-w- c:\windows\system32\dllcache\el656cd5.sys
2011-01-06 01:41 . 2001-08-18 05:36 110592 ----a-w- c:\windows\system32\dllcache\dc260usd.dll
2011-01-06 01:40 . 2001-08-18 05:36 32256 ----a-w- c:\windows\system32\dllcache\diapi2NT.dll
2011-01-06 01:39 . 2001-08-17 19:49 17152 ----a-w- c:\windows\system32\dllcache\atitvsnd.sys
2011-01-06 01:37 . 2001-08-17 21:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-01-04 01:56 . 2011-01-04 01:56 -------- d-----w- c:\documents and settings\Tim Oakley\Application Data\Avira
2011-01-02 21:14 . 2010-12-13 15:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-02 21:14 . 2010-12-13 15:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-02 21:14 . 2010-06-17 21:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-01-02 21:14 . 2010-06-17 21:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-01-02 21:14 . 2011-01-02 21:14 -------- d-----w- c:\program files\Avira
2011-01-02 21:14 . 2011-01-02 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-12-30 03:51 . 2010-12-30 03:51 1409 ----a-w- c:\windows\QTFont.for
2010-12-30 03:51 . 2010-12-30 03:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-12-30 03:46 . 2010-12-31 01:51 -------- d-----w- c:\documents and settings\Tim Oakley\Local Settings\Application Data\Temp
2010-12-30 03:46 . 2010-12-30 03:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-12-30 00:09 . 2010-12-30 00:09 -------- d-----w- c:\program files\ESET
2010-12-29 17:04 . 2010-12-29 17:04 -------- d-----w- C:\_OTL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-30 01:27 . 2001-08-17 18:52 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-11-18 18:12 . 2006-09-28 13:27 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2006-09-28 01:01 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2006-09-28 01:01 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2006-09-28 01:01 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2006-09-28 01:01 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2006-09-28 01:01 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2006-09-28 01:01 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2006-09-28 01:01 1853312 ----a-w- c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"Power2GoExpress"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"@OnlineArmor GUI"="c:\program files\Online Armor\oaui.exe" [2010-10-27 2345000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-10 984352]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2010-10-27 353992]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11674:TCP"= 11674:TCP:*:Disabled:BitComet 11674 TCP
"11674:UDP"= 11674:UDP:*:Disabled:BitComet 11674 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [1/29/2007 6:21 AM 42240]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [1/8/2011 9:47 AM 202064]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [1/8/2011 9:47 AM 25000]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [1/8/2011 9:47 AM 29272]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/2/2011 2:14 PM 135336]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [1/8/2011 9:46 AM 380784]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [12/29/2007 6:44 PM 450400]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [1/8/2011 9:47 AM 38856]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [1/8/2011 9:46 AM 3652696]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [3/21/2006 12:37 PM 47488]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/29/2010 8:46 PM 136176]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
2011-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2011-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-30 03:46]
2011-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-30 03:46]
2011-01-11 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: turbotax.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-01-10 18:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1308)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-01-10 18:04:47
ComboFix-quarantined-files.txt 2011-01-11 01:04
ComboFix2.txt 2011-01-11 00:36
ComboFix3.txt 2011-01-10 05:19
Pre-Run: 38,817,480,704 bytes free
Post-Run: 38,793,445,376 bytes free
- - End Of File - - 162FBC2E90D86ED0EAE2FF210B52F5C1