ok i got confirmation from avg that the scanner does not run in safe mode i went ahead and did another scan. these are the results:
ComboFix 09-10-06.03 - Administrator 2009/10/06 21:42.5.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.886.1033.18.447.289 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"C:\mtlff.exe"
"C:\nqxbk.exe"
"C:\rlswn.exe"
"c:\windows\system32\bahabona.dll"
"c:\windows\system32\bezizipu.dll"
"c:\windows\system32\difebebu.exe"
"c:\windows\system32\dipakule.dll"
"c:\windows\system32\fonodate.exe"
"c:\windows\system32\fumupofo.dll"
"c:\windows\system32\hazafupe.exe"
"c:\windows\system32\kavumefe.dll"
"c:\windows\system32\kiratero.dll"
"c:\windows\system32\laweyohe.exe"
"c:\windows\system32\lunegogu.dll"
"c:\windows\system32\nalusihe.exe"
"c:\windows\system32\nominenu.dll"
"c:\windows\system32\sokofosu.exe"
"c:\windows\system32\sonewibu.exe"
"c:\windows\system32\sovowuyi.dll"
"c:\windows\system32\tufujavu.dll"
"c:\windows\system32\vomuganu.dll"
"c:\windows\system32\wifenoho.dll"
"c:\windows\system32\wozupeva.dll"
"c:\windows\system32\wurebupe.dll"
"c:\windows\system32\yadebene.dll"
"c:\windows\system32\yiriyidi.dll"
"c:\windows\system32\yokamuye.dll"
"c:\windows\system32\yovalono.dll"
"c:\windows\system32\yuhisona.exe"
"c:\windows\system32\yunohoyo.exe"
"c:\windows\system32\zayitala.exe"
"c:\windows\win32k.sys"
"C:\yonm.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\$NtServicePackUninstall$\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.
2009-10-06 23:50 . 2009-10-07 00:02 -------- d-----w- C:\Combo-Fix9963C
2009-10-06 22:35 . 2009-10-06 22:35 -------- d-----w- c:\windows\LastGood
2009-10-06 22:23 . 2004-08-04 07:56 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-10-06 01:34 . 2009-10-06 22:18 -------- d-----w- C:\Combo-Fix
2009-10-06 00:53 . 2009-10-06 01:11 -------- d-----w- C:\Combo-Fix.txt
2009-10-03 17:40 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 17:40 . 2009-10-05 00:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 17:40 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-01 03:53 . 2009-10-01 03:53 -------- d-----w- c:\program files\Trend Micro
2009-09-30 13:37 . 2009-09-30 13:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-30 13:24 . 2009-09-30 13:24 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-09-30 13:23 . 2009-09-30 13:23 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-30 12:56 . 2009-09-30 12:56 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-30 05:20 . 2009-09-30 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-09 07:29 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 22:32 . 2005-04-18 04:46 793 --sha-w- c:\windows\system32\mmf.sys
2009-09-30 05:38 . 2008-10-19 05:02 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-09-30 04:51 . 2006-12-09 19:38 -------- d-----w- c:\program files\Windows Defender
2009-09-30 03:44 . 2008-10-19 05:02 -------- d-----w- c:\program files\DNA
2009-09-05 12:32 . 2009-09-05 12:32 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-09-05 07:24 . 2004-07-13 20:28 -------- d-----w- c:\program files\DivX
2009-09-05 07:23 . 2009-09-05 07:23 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-14 13:36 . 2009-02-01 15:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 13:36 . 2008-07-04 05:16 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 13:36 . 2007-01-01 08:37 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-07 00:24 . 2004-08-11 22:48 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-11 22:48 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-11 22:48 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-05-20 17:33 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-05-20 17:51 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-11 22:48 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2006-02-01 02:02 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2005-05-26 09:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2004-05-20 17:33 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2002-12-12 15:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-02-01 19:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-05-20 17:51 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-11 06:45 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-03-08 23:41 . 2005-03-08 23:41 56 --sha-r- c:\windows\system32\82F1638CF7.sys
2005-03-08 23:41 . 2005-03-08 23:41 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
------- Sigcheck -------
[-] 2008-04-14 00:12 . !HASH: COULD NOT OPEN FILE !!!!! . 1033728 . . [------] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-10-06_01.42.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-11 22:48 . 2009-08-07 00:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2009-10-06 22:35 . 2008-10-16 20:06 208744 c:\windows\LastGood\system32\muweb.dll
+ 2009-10-06 22:35 . 2008-10-16 20:06 268648 c:\windows\LastGood\system32\mucltui.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 32768]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Acme.PCHButton"="c:\progra~1\HPINST~1\Pavilion\XPHNABS4EN\plugin\bin\pchbutton.exe" [2004-04-01 159744]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2004-03-25 1732608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-06 2023704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-19 1626112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 68856]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-16 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG311T Wireless Assistant.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2004-12-17 7708672]
Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-4-1 16384]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 13:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\VectorWorks 10.1\\VectorWorks.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\InterVideo\\Quake III Arena\\quake3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7000:TCP"= 7000:TCP:btdownloadergui
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-14 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-14 297752]
R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2005-04-18 2560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 21:51
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2367046221-998718354-2122322601-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,6d,c5,fe,2e,8f,b3,40,ba,ea,4d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,6d,c5,fe,2e,8f,b3,40,ba,ea,4d,\
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8]
"1"=hex:ed,4b,4a,ed,15,23,49,74,5a,62,6c,ea,06,f6,a6,df
"2"=hex:a9,40,80,f3,45,2c,d5,a1,17,53,11,d7,21,de,a4,9e,70,5f,a0,52,5b,27,ae,
65,1c,9d,59,02,eb,37,2c,7a,87,23,4c,1a,3f,83,53,96
"3"=hex:ed,4b,4a,ed,15,23,49,74,b0,26,52,ff,a0,7d,07,31,e6,5f,d4,da,fb,3f,90,
71,75,14,ea,42,77,9a,7a,ec,d4,b7,cc,3b,f4,0a,33,5b,a4,1e,da,46,25,2d,2a,72,\
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8\A4C6DC1D7052183A161573F7BA846387]
"1"=hex:1a,dd,98,10,b1,7c,5d,e1
"2"=hex:c5,ff,57,75,f6,0a,be,c2
"3"=hex:48,0c,95,15,2b,0f,5c,2f,6f,53,7a,16,ea,05,fc,41,9c,cb,d7,93,ce,0b,b9,
e9,f3,cb,59,bb,1e,cc,c3,d2,4b,65,38,f1,04,90,3a,67,09,52,da,db,9c,b2,36,eb,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:ed,4b,4a,ed,15,23,49,74,5a,02,d0,c7,f9,dd,f2,e5,3e,e0,99,3d,a8,68,9c,
4f,1f,71,fc,13,23,3b,2c,6b,94,db,ee,08,97,0d,d7,27,bf,b9,1b,eb,26,77,8c,fe,\
"8"=hex:5d,56,03,e5,33,b3,79,9e,4c,e0,61,6e,a5,60,95,f1,1d,da,60,89,a3,a0,95,
f9
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:07,96,b3,35,9e,5a,1a,0b
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
Completion time: 2009-10-07 21:53
ComboFix-quarantined-files.txt 2009-10-07 02:53
ComboFix2.txt 2009-10-07 00:02
ComboFix3.txt 2009-10-06 01:44
Pre-Run: 75,786,301,440 bytes free
Post-Run: 75,753,889,792 bytes free
Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=,1,3,4,5
248 --- E O F --- 2009-09-29 05:08
ComboFix 09-10-06.03 - Administrator 2009/10/06 21:42.5.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.886.1033.18.447.289 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"C:\mtlff.exe"
"C:\nqxbk.exe"
"C:\rlswn.exe"
"c:\windows\system32\bahabona.dll"
"c:\windows\system32\bezizipu.dll"
"c:\windows\system32\difebebu.exe"
"c:\windows\system32\dipakule.dll"
"c:\windows\system32\fonodate.exe"
"c:\windows\system32\fumupofo.dll"
"c:\windows\system32\hazafupe.exe"
"c:\windows\system32\kavumefe.dll"
"c:\windows\system32\kiratero.dll"
"c:\windows\system32\laweyohe.exe"
"c:\windows\system32\lunegogu.dll"
"c:\windows\system32\nalusihe.exe"
"c:\windows\system32\nominenu.dll"
"c:\windows\system32\sokofosu.exe"
"c:\windows\system32\sonewibu.exe"
"c:\windows\system32\sovowuyi.dll"
"c:\windows\system32\tufujavu.dll"
"c:\windows\system32\vomuganu.dll"
"c:\windows\system32\wifenoho.dll"
"c:\windows\system32\wozupeva.dll"
"c:\windows\system32\wurebupe.dll"
"c:\windows\system32\yadebene.dll"
"c:\windows\system32\yiriyidi.dll"
"c:\windows\system32\yokamuye.dll"
"c:\windows\system32\yovalono.dll"
"c:\windows\system32\yuhisona.exe"
"c:\windows\system32\yunohoyo.exe"
"c:\windows\system32\zayitala.exe"
"c:\windows\win32k.sys"
"C:\yonm.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\$NtServicePackUninstall$\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.
2009-10-06 23:50 . 2009-10-07 00:02 -------- d-----w- C:\Combo-Fix9963C
2009-10-06 22:35 . 2009-10-06 22:35 -------- d-----w- c:\windows\LastGood
2009-10-06 22:23 . 2004-08-04 07:56 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-10-06 01:34 . 2009-10-06 22:18 -------- d-----w- C:\Combo-Fix
2009-10-06 00:53 . 2009-10-06 01:11 -------- d-----w- C:\Combo-Fix.txt
2009-10-03 17:40 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 17:40 . 2009-10-05 00:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 17:40 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-01 03:53 . 2009-10-01 03:53 -------- d-----w- c:\program files\Trend Micro
2009-09-30 13:37 . 2009-09-30 13:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-30 13:24 . 2009-09-30 13:24 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-09-30 13:23 . 2009-09-30 13:23 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-30 12:56 . 2009-09-30 12:56 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-30 05:20 . 2009-09-30 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-09 07:29 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 22:32 . 2005-04-18 04:46 793 --sha-w- c:\windows\system32\mmf.sys
2009-09-30 05:38 . 2008-10-19 05:02 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-09-30 04:51 . 2006-12-09 19:38 -------- d-----w- c:\program files\Windows Defender
2009-09-30 03:44 . 2008-10-19 05:02 -------- d-----w- c:\program files\DNA
2009-09-05 12:32 . 2009-09-05 12:32 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-09-05 07:24 . 2004-07-13 20:28 -------- d-----w- c:\program files\DivX
2009-09-05 07:23 . 2009-09-05 07:23 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-14 13:36 . 2009-02-01 15:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 13:36 . 2008-07-04 05:16 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 13:36 . 2007-01-01 08:37 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-07 00:24 . 2004-08-11 22:48 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-11 22:48 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-11 22:48 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-05-20 17:33 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-05-20 17:51 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-11 22:48 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2006-02-01 02:02 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2005-05-26 09:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2004-05-20 17:33 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2002-12-12 15:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-02-01 19:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-05-20 17:51 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-11 06:45 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-03-08 23:41 . 2005-03-08 23:41 56 --sha-r- c:\windows\system32\82F1638CF7.sys
2005-03-08 23:41 . 2005-03-08 23:41 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
------- Sigcheck -------
[-] 2008-04-14 00:12 . !HASH: COULD NOT OPEN FILE !!!!! . 1033728 . . [------] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-10-06_01.42.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-11 22:48 . 2009-08-07 00:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2009-10-06 22:35 . 2008-10-16 20:06 208744 c:\windows\LastGood\system32\muweb.dll
+ 2009-10-06 22:35 . 2008-10-16 20:06 268648 c:\windows\LastGood\system32\mucltui.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 32768]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Acme.PCHButton"="c:\progra~1\HPINST~1\Pavilion\XPHNABS4EN\plugin\bin\pchbutton.exe" [2004-04-01 159744]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2004-03-25 1732608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-06 2023704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-19 1626112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 68856]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-16 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG311T Wireless Assistant.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2004-12-17 7708672]
Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-4-1 16384]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 13:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\VectorWorks 10.1\\VectorWorks.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\InterVideo\\Quake III Arena\\quake3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7000:TCP"= 7000:TCP:btdownloadergui
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-14 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-14 297752]
R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2005-04-18 2560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 21:51
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2367046221-998718354-2122322601-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,6d,c5,fe,2e,8f,b3,40,ba,ea,4d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,6d,c5,fe,2e,8f,b3,40,ba,ea,4d,\
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8]
"1"=hex:ed,4b,4a,ed,15,23,49,74,5a,62,6c,ea,06,f6,a6,df
"2"=hex:a9,40,80,f3,45,2c,d5,a1,17,53,11,d7,21,de,a4,9e,70,5f,a0,52,5b,27,ae,
65,1c,9d,59,02,eb,37,2c,7a,87,23,4c,1a,3f,83,53,96
"3"=hex:ed,4b,4a,ed,15,23,49,74,b0,26,52,ff,a0,7d,07,31,e6,5f,d4,da,fb,3f,90,
71,75,14,ea,42,77,9a,7a,ec,d4,b7,cc,3b,f4,0a,33,5b,a4,1e,da,46,25,2d,2a,72,\
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8\A4C6DC1D7052183A161573F7BA846387]
"1"=hex:1a,dd,98,10,b1,7c,5d,e1
"2"=hex:c5,ff,57,75,f6,0a,be,c2
"3"=hex:48,0c,95,15,2b,0f,5c,2f,6f,53,7a,16,ea,05,fc,41,9c,cb,d7,93,ce,0b,b9,
e9,f3,cb,59,bb,1e,cc,c3,d2,4b,65,38,f1,04,90,3a,67,09,52,da,db,9c,b2,36,eb,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:ed,4b,4a,ed,15,23,49,74,5a,02,d0,c7,f9,dd,f2,e5,3e,e0,99,3d,a8,68,9c,
4f,1f,71,fc,13,23,3b,2c,6b,94,db,ee,08,97,0d,d7,27,bf,b9,1b,eb,26,77,8c,fe,\
"8"=hex:5d,56,03,e5,33,b3,79,9e,4c,e0,61,6e,a5,60,95,f1,1d,da,60,89,a3,a0,95,
f9
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:07,96,b3,35,9e,5a,1a,0b
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
Completion time: 2009-10-07 21:53
ComboFix-quarantined-files.txt 2009-10-07 02:53
ComboFix2.txt 2009-10-07 00:02
ComboFix3.txt 2009-10-06 01:44
Pre-Run: 75,786,301,440 bytes free
Post-Run: 75,753,889,792 bytes free
Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=,1,3,4,5
248 --- E O F --- 2009-09-29 05:08