hope this was the right one......
ComboFix 09-10-08.04 - Aaron Ko 10/10/2009 11:24.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.952 [GMT -7:00]
Running from: c:\documents and settings\Aaron Ko\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Aaron Ko\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Nathan Ko\Application Data\Gmail
c:\documents and settings\Nathan Ko\Application Data\Gmail\cssxo9416223.exe
c:\documents and settings\Nathan Ko\Application Data\Gmail\Shell32.dll
c:\documents and settings\Nathan Ko\Application Data\Gmail\Shell32.dll
c:\recycler\S-1-5-21-3968966495-137116618-2045513453-1003
c:\recycler\S-1-5-21-971334563-1478690862-3778208101-1003
c:\windows\Installer\1071e94.msp
c:\windows\Installer\2e81aa9.msp
c:\windows\Installer\90a21f.msp
c:\windows\Installer\954476.msp
c:\windows\Installer\b5a4cb.msp
c:\windows\Installer\c1746.msp
c:\windows\Installer\f34e9f.msp
c:\windows\setup.exe
c:\windows\system32\muzapp.exe
.
((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.
2009-10-10 04:51 . 2009-10-10 04:51 -------- d-----w- c:\windows\LastGood
2009-09-29 03:08 . 2009-09-29 03:08 -------- d-----w- c:\documents and settings\Aaron Ko\Local Settings\Application Data\PCHealth
2009-09-26 22:57 . 2009-09-26 22:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-09-22 00:48 . 2009-09-22 00:48 -------- d-----w- c:\documents and settings\Aaron Ko\Local Settings\Application Data\Sophos
2009-09-22 00:46 . 2009-09-22 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2009-09-22 00:41 . 2009-09-22 00:46 -------- d-----w- c:\program files\Sophos
2009-09-22 00:41 . 2009-09-22 00:41 -------- d-----w- c:\temp\Sophos
2009-09-22 00:40 . 2009-09-22 00:41 -------- d-----w- C:\Temp
2009-09-19 22:56 . 2009-09-19 22:56 -------- d-sh--w- c:\documents and settings\Peter Ko\IECompatCache
2009-09-19 22:54 . 2009-09-19 22:54 -------- d-sh--w- c:\documents and settings\Peter Ko\PrivacIE
2009-09-19 22:51 . 2009-09-19 22:51 -------- d-sh--w- c:\documents and settings\Peter Ko\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-10 05:45 . 2007-11-24 07:22 -------- d-----w- c:\program files\Warcraft III
2009-10-10 04:39 . 2008-12-18 19:50 -------- d-----w- c:\program files\Steam
2009-10-10 04:38 . 2008-06-15 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-08 01:33 . 2009-01-19 22:10 -------- d-----w- c:\documents and settings\Aaron Ko\Application Data\BitTorrent
2009-09-27 01:13 . 2009-01-13 07:15 -------- d-----w- c:\documents and settings\Nathan Ko\Application Data\DNA
2009-09-26 22:38 . 2009-01-13 07:15 -------- d-----w- c:\program files\DNA
2009-09-22 03:35 . 2009-03-11 20:48 655940 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-22 03:35 . 2009-03-11 20:48 48896544 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-22 03:35 . 2009-03-11 20:48 1652768 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-09-22 03:35 . 2009-03-11 20:48 155996 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-09-22 03:19 . 2008-01-04 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\TELUS
2009-09-22 03:19 . 2008-01-18 17:20 -------- d-----w- c:\documents and settings\Colleen Ko\Application Data\TELUS
2009-09-22 03:19 . 2008-01-12 01:09 -------- d-----w- c:\documents and settings\Ian Ko\Application Data\TELUS
2009-09-22 03:19 . 2008-01-06 05:26 -------- d-----w- c:\documents and settings\Nathan Ko\Application Data\TELUS
2009-09-22 03:19 . 2008-01-04 00:42 -------- d-----w- c:\documents and settings\Peter Ko\Application Data\TELUS
2009-09-22 03:18 . 2008-01-09 03:55 -------- d-----w- c:\documents and settings\Aaron Ko\Application Data\TELUS
2009-09-22 03:18 . 2008-01-04 00:40 -------- d-----w- c:\program files\TELUS
2009-09-19 22:53 . 2009-09-19 22:53 4958032 ----a-w- c:\documents and settings\Peter Ko\Application Data\pdinstall.exe
2009-09-19 22:52 . 2007-11-03 22:28 201424 ----a-w- c:\documents and settings\Peter Ko\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 20:51 . 2009-01-13 07:15 -------- d-----w- c:\documents and settings\Nathan Ko\Application Data\BitTorrent
2009-09-10 16:21 . 2009-01-24 01:01 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 06:21 . 2008-10-30 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-05 21:40 . 2008-02-04 07:12 -------- d-----w- c:\documents and settings\Nathan Ko\Application Data\U3
2009-09-05 07:35 . 2009-06-24 22:16 -------- d-----w- c:\documents and settings\Nathan Ko\Application Data\My Battle for Middle-earth(tm) II Files
2009-09-05 07:14 . 2009-04-19 03:53 -------- d-----w- c:\program files\Electronic Arts
2009-08-31 17:35 . 2008-07-14 00:34 34 ----a-w- c:\documents and settings\Nathan Ko\jagex_runescape_preferences.dat
2009-08-22 07:07 . 2007-11-06 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-08-22 05:42 . 2009-08-22 05:23 -------- d-----w- c:\documents and settings\Nathan Ko\Application Data\Nero
2009-08-22 05:22 . 2009-08-22 05:20 -------- d-----w- c:\program files\Common Files\Nero
2009-08-22 05:21 . 2009-08-22 05:20 -------- d-----w- c:\program files\Nero
2009-08-22 05:21 . 2009-08-22 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-05 09:01 . 2005-03-02 23:44 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2005-03-02 23:44 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2005-03-02 23:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-08 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Steam"="c:\program files\steam\steam.exe" [2009-06-12 1217784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-10 344064]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"VAIO Update 3"="c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-05-16 551032]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Profiler"="c:\program files\Saitek\Software\Profiler.exe" [2004-01-28 159744]
"SaiSmart"="c:\program files\Saitek\Software\SaiSmart.exe" [2004-01-28 98304]
"TELUS_eCare_Lite_McciTrayApp"="c:\program files\TELUS_eCare_Lite\eCareTrayApp.exe" [2007-01-24 1007720]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-27 282624]
"Auto Auto EPSON Stylus CX3800 Series on sony on TOSHIBA"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Auto EPSON Stylus CX3800 Series on HP-KO"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"Tsa.exe"="c:\program files\TELUS\TELUS security advisor\Tsa.exe" [2008-09-18 3228912]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-08-13 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-02 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-11-29 2748928]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-11-3 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-9-11 245760]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-26 118784]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\SteamApps\\blazerino\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\system32\\lmabcoms.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\NATHAN~1\LOCALS~1\Temp\DCDE0.tmp --> c:\docume~1\NATHAN~1\LOCALS~1\Temp\DCDE0.tmp [?]
S3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [12/14/2007 6:04 PM 55936]
S3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [12/14/2007 6:04 PM 19456]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-10-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-04 02:41]
2009-10-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.ca/uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) =
hxxp://www.google.com/keyword/%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-realtekc - c:\documents and settings\Nathan Ko\Application Data\Gmail\cssxo9416223.exe
AddRemove-Direct MIDI to MP3 Converter_is1 - c:\program files\Direct MIDI to MP3 Converter\unins000.exe
AddRemove-HijackThis - c:\documents and settings\Aaron Ko\Desktop\Trend Micro\HijackThis\HijackThis.exe
AddRemove-{B931FB80-537A-4600-00AD-AC5DEDB6C25B} - c:\program files\Electronic Arts\The Lord of the Rings
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-10-10 11:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\NATHAN~1\LOCALS~1\Temp\DCDE0.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(864)
c:\progra~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
.
Completion time: 2009-10-10 11:32
ComboFix-quarantined-files.txt 2009-10-10 18:32
Pre-Run: 37,052,088,320 bytes free
Post-Run: 39,417,737,216 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
223 --- E O F --- 2009-10-10 18:09