i ran combo fix exactly according to these instructions, step by step. here is the combofix.txt file (note that if there are characters you see as gibrish in the file paths, it should be because some folder names are not in English):
ComboFix 10-01-04.01 - מתן 01/06/2010 20:52:19.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1255.972.1037.18.3068.2518 [GMT 2:00]
Running from: c:\matan files\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\ieuinit.inf
.
((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.
2010-01-06 18:14 . 2010-01-06 18:14 388096 ----a-r- c:\documents and settings\מתן\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-06 18:14 . 2010-01-06 18:14 -------- d-----w- c:\program files\TrendMicro
2010-01-06 16:32 . 2010-01-06 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-01-06 16:32 . 2010-01-06 16:44 -------- d-----w- c:\program files\RegCure
2010-01-06 16:21 . 2010-01-06 16:21 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-01-06 16:21 . 2010-01-06 18:55 184352 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-06 16:21 . 2010-01-06 18:55 10016 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-06 15:38 . 2010-01-06 15:38 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-06 15:38 . 2010-01-06 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-01-06 15:38 . 2010-01-06 15:38 -------- d-----w- c:\program files\ParetoLogic
2010-01-06 15:38 . 2010-01-06 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-06 15:37 . 2010-01-06 15:37 -------- d-----w- c:\documents and settings\מתן\Local Settings\Application Data\Downloaded Installations
2010-01-02 07:14 . 2010-01-02 07:14 -------- d-----w- c:\program files\Autodesk
2009-12-30 17:12 . 2009-12-30 17:35 -------- d-----w- c:\program files\Audacity
2009-12-07 19:10 . 2009-12-07 19:10 -------- d-s---w- c:\documents and settings\מתן\UserData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 18:50 . 2006-03-02 12:00 67432 ----a-w- c:\windows\system32\perfc00d.dat
2010-01-06 18:50 . 2006-03-02 12:00 345780 ----a-w- c:\windows\system32\perfh00d.dat
2010-01-06 18:46 . 2009-11-15 14:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-06 18:45 . 2010-01-06 16:21 2156 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-06 18:45 . 2010-01-06 16:21 1628 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-06 14:59 . 2009-08-20 10:04 -------- d-----w- c:\documents and settings\מתן\Application Data\uTorrent
2010-01-05 04:19 . 2009-10-03 18:32 -------- d-----w- c:\documents and settings\מתן\Application Data\U3
2010-01-02 07:17 . 2009-08-20 02:22 -------- d-----w- c:\documents and settings\מתן\Application Data\HPAppData
2009-12-26 13:56 . 2009-08-20 02:32 -------- d-----w- c:\program files\McAfee
2009-12-25 05:52 . 2009-08-20 16:48 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-12-25 05:51 . 2009-08-20 16:47 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-12-21 22:07 . 2009-08-29 14:46 -------- d-----w- c:\program files\Google
2009-12-05 18:08 . 2009-12-05 18:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-12-04 04:38 . 2009-08-28 04:05 -------- d-----w- c:\documents and settings\מתן\Application Data\HpUpdate
2009-12-01 12:12 . 2009-08-20 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-28 20:34 . 2009-10-05 16:11 -------- d-----w- c:\documents and settings\מתן\Application Data\Skype
2009-11-28 20:33 . 2009-10-05 16:17 -------- d-----w- c:\documents and settings\מתן\Application Data\skypePM
2009-11-28 06:47 . 2009-11-20 10:48 -------- d-----w- c:\documents and settings\מתן\Application Data\Intelli-studio
2009-11-20 10:48 . 2009-11-20 10:48 -------- d-----w- c:\program files\Samsung
2009-11-20 10:45 . 2009-11-20 10:45 -------- d-----w- c:\program files\VS Revo Group
2009-11-15 14:41 . 2009-11-15 14:26 -------- d-----w- c:\program files\Spyware Doctor
2009-11-15 14:31 . 2009-11-15 14:26 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-15 14:26 . 2009-11-15 14:26 -------- d-----w- c:\documents and settings\מתן\Application Data\PC Tools
2009-11-15 14:26 . 2009-11-15 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-14 05:31 . 2009-11-14 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth
2009-11-02 21:40 . 2009-08-19 22:09 64936 ----a-w- c:\documents and settings\מתן\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 05:25 . 2006-03-02 12:00 663552 ----a-w- c:\windows\system32\wininet.dll
2009-10-23 08:37 . 2009-10-17 19:27 126972 ----a-w- c:\documents and settings\מתן\Application Data\mdbu.bin
2009-10-21 05:39 . 2006-03-02 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:39 . 2006-03-02 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2006-03-02 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-16 05:34 . 2009-08-20 17:06 0 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2009-10-13 10:33 . 2006-03-02 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:39 . 2006-03-02 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:39 . 2006-03-02 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2008-08-16 15:42 . 2008-08-16 15:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 15:42 . 2008-08-16 15:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 15:42 . 2008-08-16 15:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 15:42 . 2008-08-16 15:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 15:43 . 2008-08-16 15:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 15:42 . 2008-08-16 15:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 15:42 . 2008-08-16 15:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 06:41 . 2008-05-21 06:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 06:41 . 2008-05-21 06:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 06:41 . 2008-05-21 06:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 11:58 . 2008-06-05 11:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 15:42 . 2008-08-16 15:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-03 16862720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-06 8523776]
"nwiz"="nwiz.exe" [2007-11-06 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-06 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"ParetoLogic Anti-Virus PLUS"="c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" [2010-01-06 2667]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 02:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 04:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-05-15 13:55 1057328 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:17 1695232 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 13:43 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Transfer Monitor]
2009-02-24 14:00 479232 ----a-w- c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-08-29 14:46 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/11/2009 16:27 207280]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [15/11/2009 16:31 112592]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/08/2009 04:35 93320]
R2 ZeppelinService;plasservice;c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [18/02/2009 14:40 587216]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [20/08/2009 00:17 244368]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [20/08/2009 12:15 721904]
S2 gupdate1ca28b79fb728ac;שירות Google Update (gupdate1ca28b79fb728ac);c:\program files\Google\Update\GoogleUpdate.exe [29/08/2009 16:47 133104]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/11/2009 16:26 358600]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-01-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-29 14:46]
2010-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 14:47]
2010-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 14:47]
2009-12-14 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-20 10:22]
2009-12-31 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-20 10:22]
2010-01-06 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 10:25]
2010-01-06 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 10:25]
2010-01-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]
2010-01-06 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]
2010-01-06 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.co.il/IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\INetHTTPFilter.dll
FF - ProfilePath - c:\documents and settings\מתן\Application Data\Mozilla\Firefox\Profiles\jlj5vv2c.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-AdobeBridge - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-01-06 20:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-436374069-764733703-839522115-1004\Software\Microsoft\ M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\devmgmt.msc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\INetHTTPFilter.dll
.
Completion time: 2010-01-06 20:57:01
ComboFix-quarantined-files.txt 2010-01-06 18:56
Pre-Run: 147,795,177,472 bytes free
Post-Run: 147,854,356,480 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - B43E5E37DB95E688DC6A213DF76FFF24
also: after combo fix finished it's run, and i turned my AV (mcafee) back on, firefox wasn't my default browser - although it had been befor. is this normal?