I did all that you asked. McAfee didn't want to close at the time of the Combofix scan, but I was able to give it the permission needed to run without being interfered with. Here is the Combofix log:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\All Users\Favorites\dap81.exe
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@2o7[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@2o7[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@ads.pointroll[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@clicktorrent[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@clicktorrent[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@insightexpressai[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@interclick[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@interclick[3].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@isohunt[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@my.clearchannelradio[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@questionmarket[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@revsci[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@specificclick[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@track.bestbuy[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@www.mmowned[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@www.wowarmory[2].txt
C:\Documents and Settings\MCX1\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\MCX2\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\Seekmo Programs
C:\WINDOWS\cookies.ini
C:\WINDOWS\Install.txt
C:\WINDOWS\system32\acyqxwbq.ini
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\okivrqbg.ini
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\tklmwgcr.ini
C:\WINDOWS\system32\tmp0_586011852553.bk
C:\WINDOWS\system32\tmp1_35446162913.bk
C:\WINDOWS\system32\tpszxyd.sys
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AFINDING
-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_MACIDWE
-------\Legacy_MSNSDRS
-------\Legacy_NOYTCYR
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_ROYTCTM
-------\Legacy_SOBICYT
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afinding
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_macidwe
-------\Service_noytcyr
-------\Service_perfs
-------\Service_routing
-------\Service_roytctm
-------\Service_sobicyt
-------\Service_soxpeca
-------\Service_tdydowkc
-------\Service_wsldoekd
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.
2008-09-20 16:42 . 2008-09-20 17:04 <DIR> d-------- C:\Program Files\Winamp
2008-09-20 16:42 . 2008-09-20 16:44 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Winamp
2008-09-20 16:42 . 2007-03-07 19:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-09-20 16:42 . 2007-03-07 19:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-09-20 16:42 . 2007-03-07 19:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-09-10 18:10 . 2008-09-10 18:11 <DIR> d-------- C:\Program Files\iTunes
2008-09-10 18:10 . 2008-09-10 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-10 18:07 . 2008-09-10 18:07 <DIR> d-------- C:\Program Files\Bonjour
2008-09-10 17:58 . 2008-09-05 22:16 1,900,544 --a------ C:\WINDOWS\system32\usbaaplrc.dll
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-09-02 17:24 . 2008-09-02 17:24 <DIR> d-------- C:\Program Files\IObit
2008-09-01 10:27 . 2008-09-01 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-31 15:28 . 2008-08-31 15:28 <DIR> d-------- C:\Program Files\CleanMyPC
2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a------ C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a------ C:\WINDOWS\system32\dnssd.dll
2008-08-28 15:48 . 2008-08-28 15:48 528,784 --a------ C:\WINDOWS\system32\PerfStringBackup.INI
2008-08-28 14:54 . 2008-08-28 14:54 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-28 14:54 . 2008-08-28 14:54 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-28 14:54 . 2008-08-28 14:54 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-28 14:53 . 2008-08-28 14:53 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-28 14:48 . 2008-08-28 14:48 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-25 22:05 . 2008-08-25 22:16 <DIR> d-------- C:\Program Files\Virtual Dub
2008-08-24 12:55 . 2006-02-22 01:02 <DIR> d-------- C:\Documents and Settings\MCX2\WINDOWS
2008-08-24 12:55 . 2006-02-22 01:03 <DIR> d-------- C:\Documents and Settings\MCX2\Application Data\Intuit
2008-08-24 12:55 . 2008-08-24 12:55 <DIR> d-------- C:\Documents and Settings\MCX2
2008-08-24 11:55 . 2004-08-03 22:41 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys
2008-08-24 11:54 . 2008-04-13 20:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-08-24 11:53 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-08-24 11:53 . 2008-04-13 20:11 184,320 --------- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-24 11:53 . 2008-04-13 20:11 106,496 --------- C:\WINDOWS\system32\mmcfxcommon.dll
2008-08-24 11:53 . 2008-04-13 20:11 61,440 --------- C:\WINDOWS\system32\kmsvc.dll
2008-08-24 11:53 . 2008-04-13 20:11 37,376 --------- C:\WINDOWS\system32\l2gpstore.dll
2008-08-24 11:53 . 2008-04-13 20:12 33,792 --------- C:\WINDOWS\system32\mmcperf.exe
2008-08-24 11:53 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-08-24 11:53 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-08-24 11:53 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-08-24 11:53 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-08-24 11:52 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-24 11:52 . 2004-08-03 22:41 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2008-08-24 11:52 . 2004-08-03 22:41 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2008-08-24 11:52 . 2008-04-13 14:31 36,352 --------- C:\WINDOWS\system32\drivers\intelppm.sys
2008-08-24 11:52 . 2008-04-13 20:11 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2008-08-24 11:52 . 2008-04-13 14:46 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2008-08-24 11:52 . 2008-04-13 20:12 10,752 --------- C:\WINDOWS\system32\smtpapi.dll
2008-08-24 11:52 . 2008-04-13 20:12 9,728 --------- C:\WINDOWS\system32\rwnh.dll
2008-08-24 11:52 . 2008-04-13 14:43 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2008-08-24 11:52 . 2007-06-21 01:52 974 --------- C:\WINDOWS\system32\pid.inf
2008-08-24 11:50 . 2008-04-13 20:11 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll
2008-08-24 11:23 . 2008-08-24 11:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 19:04 --------- d-----w C:\Program Files\Java
2008-09-22 19:00 --------- d-----w C:\Program Files\LimeWire
2008-09-22 19:00 --------- d-----w C:\Program Files\BitTorrent
2008-09-22 19:00 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\BitTorrent
2008-09-17 22:49 --------- d-----w C:\Program Files\World of Warcraft
2008-09-12 18:21 --------- d-----w C:\Program Files\McAfee
2008-09-12 18:15 --------- d-----w C:\Program Files\DISC
2008-09-11 19:00 --------- d-----w C:\Program Files\MP3 WAV Converter
2008-09-11 18:59 --------- d-----w C:\Program Files\Image-Line
2008-09-11 18:56 --------- d-----w C:\Program Files\GemMaster
2008-09-11 18:53 --------- d-----w C:\Program Files\PopupPopper
2008-09-11 18:52 --------- d-----w C:\Program Files\InstallShield Installation Information
2008-09-11 18:52 --------- d-----w C:\Program Files\Hewlett-Packard
2008-09-11 18:52 --------- d-----w C:\Program Files\Common Files\Vbox
2008-09-11 18:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-11 18:52 --------- d-----w C:\Program Files\Apple Software Update
2008-09-10 22:10 --------- d-----w C:\Program Files\iPod
2008-09-10 22:04 --------- d-----w C:\Program Files\QuickTime
2008-09-10 22:03 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-08 01:26 --------- d-----w C:\Program Files\WoW Movies
2008-09-07 23:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-06 02:16 36,864 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-09-04 02:09 --------- d-----w C:\Program Files\Common Files\Real
2008-09-01 14:16 --------- d-----w C:\Program Files\Lavasoft
2008-09-01 14:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-01 14:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-01 05:27 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-08-31 06:16 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\DNA
2008-08-30 12:13 --------- d-----w C:\Program Files\DNA
2008-08-17 19:01 38,472 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 19:01 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 14:15 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Malwarebytes
2008-08-15 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-15 14:09 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-08-15 13:11 --------- d-----w C:\Program Files\dvdSanta
2008-08-15 11:57 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Xilisoft Corporation
2008-07-08 22:14 1,835,008 ----a-w C:\Program Files\WoWG.exe
2008-05-01 23:05 2,598 ----a-w C:\Documents and Settings\Compaq_Administrator\Application Data\SAS7_000.DAT
2008-03-03 00:42 545,278 ----a-w C:\Program Files\Autoruns.zip
2006-12-22 00:27 1,330 ----a-w C:\Documents and Settings\Compaq_Administrator\Application Data\wklnhst.dat
2006-12-13 20:18 5 --sh--w C:\Program Files\Messengenr2.txt
2006-12-07 20:37 6,830,979 ----a-w C:\Program Files\Cosmos_Alpha.zip
2006-12-06 00:35 1,025,636 ----a-w C:\Program Files\VirtualDub-1.6.17.zip
2006-12-02 00:39 96,865,977 ----a-w C:\Program Files\OOo_2.0.4_Win32Intel_install.exe
2006-12-01 02:36 25,755,448 ----a-w C:\Program Files\wmp11-windowsxp-x86-enu.exe
2006-06-20 20:34 2,966,984 ----a-w C:\Program Files\Fraps v2.7.4.exe
2001-09-28 21:00 164,864 ------w C:\Program Files\UNWISE.EXE
2008-03-03 19:42 244,698 --sha-w C:\WINDOWS\system32\rtutv.ini2
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 64512]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 61440]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2007-10-30 1095256]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 C:\WINDOWS\arpwrmsg.exe]
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-02-22 27136]
C:\Documents and Settings\MCX1\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-02-22 27136]
C:\Documents and Settings\MCX2\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-02-22 27136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18432]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^Rupture.lnk]
path=C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Startup\Rupture.lnk
backup=C:\WINDOWS\pss\Rupture.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 12:15 50528 C:\Program Files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-14 21:02 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 28160]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 nobicyt;nobicyt Service;C:\WINDOWS\system32\Nobicyt.exe [ ]
S2 solewxte;solewxte Service;C:\WINDOWS\system32\solewxte.exe [ ]
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0C0FC00D-7248-F10D-0103-060105070400}]
C:\WINDOWS\system32\scvhost.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{070a5794-e6c6-4804-895f-bc85b71f1b8f} - (no file)
BHO-{AC978638-79C2-4917-9760-4D160A606D79} - (no file)
HKCU-Run-Aim6 - (no file)
MSConfigStartUp-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe
MSConfigStartUp-MsnMsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-SeekmoSA - C:\Program Files\Seekmo\bin\10.0.341.0\SeekmoSA.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\1zispnje.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
http://www.google.com.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-09-23 22:22:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-09-23 22:29:45 - machine was rebooted [Compaq_Administrator]
ComboFix-quarantined-files.txt 2008-09-24 02:29:37
Pre-Run: 120,774,692,864 bytes free
Post-Run: 121,155,055,616 bytes free
318 --- E O F --- 2008-09-18 18:30:11
Here is the Malwarebytes logMalwarebytes' Anti-Malware 1.28
Database version: 1200
Windows 5.1.2600 Service Pack 3
9/24/2008 5:22:59 PM
mbam-log-2008-09-24 (17-22-59).txt
Scan type: Full Scan (C:\|)
Objects scanned: 173547
Time elapsed: 1 hour(s), 49 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nobicyt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\xmp.bat (Trojan.Downloader) -> Quarantined and deleted successfully.
And here is the new HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:13 PM, on 9/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =
http://localhost:9100/proxy.pacR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O15 - Trusted Zone:
http://*.trymedia.com (HKLM)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
http://housecall65.trendmicro.com/house ... hcImpl.cabO16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) -
http://cube.northwestcollege.edu/kxhcm10.ocxO16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) -
http://upload.facebook.com/controls/Fac ... oader3.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://cdn.scan.onecare.live.com/resour ... se5036.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/microsoftup ... 8648544395O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftup ... 8648535395O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: solewxte Service (solewxte) - Unknown owner - C:\WINDOWS\system32\solewxte.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe