Here is the latest.
ComboFix 09-06-20.02 - Owner 06/20/2009 15:31.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.225 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"C:\487656.bat"
"c:\windows\
010112010146118114.dat"
"c:\windows\system32\REN10.tmp"
"c:\windows\system32\REN11.tmp"
"c:\windows\system32\RENF.tmp"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\487656.bat
c:\windows\
010112010146118114.dat
c:\windows\system32\REN10.tmp
c:\windows\system32\REN11.tmp
c:\windows\system32\RENF.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_UMFDYGJKKUOF
-------\Legacy_ZJDCYP
-------\Service_umfdygjkkuof
-------\Service_zjdcyp
((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.
2009-06-20 13:49 . 2009-06-20 14:38 -------- d-s---w- C:\Combo-Fix
2009-06-19 13:12 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-19 13:12 . 2009-06-19 13:39 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-19 13:12 . 2008-12-18 17:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-19 13:12 . 2009-06-19 13:13 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-19 13:12 . 2008-12-10 17:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-19 13:11 . 2009-06-20 04:56 -------- d-----w- c:\program files\Spyware Doctor
2009-06-19 13:11 . 2009-06-19 13:11 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-06-19 13:11 . 2009-06-19 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-19 10:07 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-19 10:07 . 2009-06-19 22:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-19 10:07 . 2009-06-19 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 10:07 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 03:24 . 2009-06-03 03:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2009-06-03 02:01 . 2009-06-03 02:03 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-06-02 08:04 . 2009-06-20 18:14 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-02 07:50 . 2009-06-02 07:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-02 07:50 . 2009-06-02 07:50 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-02 07:50 . 2009-06-02 07:50 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-02 07:50 . 2009-06-20 14:11 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-02 07:50 . 2009-06-02 07:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-02 07:50 . 2009-06-02 07:54 -------- d-----w- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-06-02 07:28 . 2009-06-02 07:28 -------- d-----w- c:\program files\CCleaner
2009-05-29 03:08 . 2009-05-29 03:07 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-29 02:27 . 2008-12-04 06:25 120832 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sh3pbpox.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-05-23 23:52 . 2009-05-27 10:53 -------- d-----w- c:\documents and settings\All Users\Application Data\17744214
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 20:45 . 2006-11-12 19:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-20 18:38 . 2006-09-06 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-20 14:58 . 2009-01-31 21:24 -------- d-----w- c:\program files\COMODO
2009-06-19 22:05 . 2004-05-12 07:26 -------- d-----w- c:\program files\Java
2009-06-19 00:28 . 2006-09-06 05:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-03 03:35 . 2005-01-01 16:18 -------- d-----w- c:\program files\Google
2009-06-02 07:49 . 2009-01-31 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-05-29 01:57 . 2004-05-12 11:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-19 22:24 . 2009-05-19 22:24 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-05-07 15:32 . 2004-05-31 19:15 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-01-22 06:16 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-09-04 17:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-05-12 06:16 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-05-12 06:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.
(((((((((((((((((((((((((((((
SnapShot@2009-06-20_14.32.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-20 20:44 . 2009-06-20 20:44 16384 c:\windows\temp\Perflib_Perfdata_904.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-08 176128]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-02 1947928]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-02 07:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=c:\windows\pss\Photo Loader supervisory.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/19/2009 8:12 AM 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/2/2009 2:50 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/2/2009 2:50 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/2/2009 2:49 AM 298776]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/19/2009 8:11 AM 348752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 mrtRate;mrtRate; [x]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [9/4/2004 11:44 AM 2944]
S3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\system32\drivers\BrFiltLo.sys [9/4/2004 11:44 AM 12160]
S3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\system32\drivers\BrFiltUp.sys [9/4/2004 11:44 AM 3968]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [9/4/2004 11:44 AM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [9/4/2004 11:44 AM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [9/4/2004 11:44 AM 10368]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2009-06-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 02:40]
2009-06-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
- - - - ORPHANS REMOVED - - - -
BHO-{71848431-9C3E-4217-9F76-4772C41E44E5} - (no file)
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.comcast.net/comcast.htmluDefault_Search_URL =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktopuSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mSearch Bar =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktopuSearchURL,(Default) =
hxxp://www.google.com/search?q=%sIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: advancedmd.com
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-06-20 15:45
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3960)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-20 15:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-20 20:51
ComboFix2.txt 2009-06-20 18:38
ComboFix3.txt 2009-06-20 14:38
ComboFix4.txt 2009-01-31 20:58
Pre-Run: 124,487,512,064 bytes free
Post-Run: 124,477,472,768 bytes free
217 --- E O F --- 2009-06-18 21:46