Hijackthis, Mbam, Combofix logs

[quester]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:02:39, on 9/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\COMODO\AntiSpam\Cas32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\Sioux\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cemlsp.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238346335437
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2695AB50-0DF6-40C5-8FCE-5851F2A3A7D9}: NameServer = 4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2695AB50-0DF6-40C5-8FCE-5851F2A3A7D9}: NameServer = 4.2.2.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7479 bytes

Malwarebytes' Anti-Malware 1.41
Database version: 2814
Windows 5.1.2600 Service Pack 3

9/16/2009 10:01:04 PM
mbam-log-2009-09-16 (22-01-04).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 134791
Time elapsed: 32 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Sioux\Application Data\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sioux\Application Data\FunWebProducts\Data (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sioux\Application Data\FunWebProducts\Data\Sioux (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Sioux\Application Data\FunWebProducts\Data\Sioux\avatar.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sioux\Application Data\FunWebProducts\Data\Sioux\zbucks.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.

 

[quester]

Hijackthis, Mbam, Combofix logs (cont'd)

ComboFix 09-09-16.02 - Sioux 09/16/2009 22:25.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.735 [GMT -5:00]
Running from: f:\pc cleanup\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\2b674a.msp
c:\windows\Installer\41a0e9.msp
c:\windows\Installer\74a8fd.msi
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-17 02:25 . 2009-09-17 02:25 -------- d-----w- c:\documents and settings\Sioux\Application Data\Malwarebytes
2009-09-17 02:25 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-17 02:25 . 2009-09-17 02:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 02:25 . 2009-09-17 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-17 02:25 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-17 01:47 . 2009-09-17 01:47 -------- d-----w- c:\program files\Trend Micro
2009-09-17 00:55 . 2009-09-17 00:55 -------- d-----w- c:\program files\CCleaner
2009-09-17 00:46 . 2009-09-17 00:47 -------- d-----w- c:\program files\CleanUp!
2009-09-17 00:40 . 2009-09-17 00:40 -------- d-----w- c:\program files\MSConfig CleanUp
2009-09-16 09:31 . 2009-09-16 09:31 -------- d-----w- c:\documents and settings\Sioux\Local Settings\Application Data\PCHealth
2009-09-16 02:56 . 2009-09-16 02:56 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-07 08:27 . 2009-09-07 08:27 651264 ----a-w- c:\windows\system32\CEmLSP.dll
2009-09-07 08:24 . 2009-09-17 03:20 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-09-07 08:11 . 2009-09-07 08:31 -------- d-----w- c:\documents and settings\Sioux\Application Data\Comodo
2009-09-07 00:53 . 2009-09-16 09:38 -------- d-----w- c:\program files\CarbonPoker
2009-08-25 00:39 . 2009-08-31 22:03 -------- d-----w- c:\documents and settings\Sioux\Application Data\HpUpdate
2009-08-25 00:38 . 2009-08-25 00:38 -------- d-----w- c:\windows\Hewlett-Packard
2009-08-24 03:28 . 2009-08-24 03:32 68027 ----a-w- c:\windows\hpqins13.dat
2009-08-24 00:06 . 2009-08-24 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2009-08-24 00:03 . 2009-08-24 00:03 -------- d-----w- c:\documents and settings\Sioux\Local Settings\Application Data\HP
2009-08-23 23:44 . 2008-08-22 12:24 271704 ----a-r- c:\windows\system32\hpzids01.dll
2009-08-23 23:44 . 2008-08-12 15:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll
2009-08-23 23:44 . 2007-07-09 10:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2009-08-23 23:44 . 2007-07-09 10:13 309760 ----a-r- c:\windows\system32\difxapi.dll
2009-08-23 23:44 . 2008-10-06 11:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll
2009-08-23 23:44 . 2008-10-06 11:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll
2009-08-23 23:44 . 2007-07-06 10:48 294912 ----a-r- c:\windows\system32\hpovst11.dll
2009-08-23 23:44 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2009-08-23 23:44 . 2001-08-17 18:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2009-08-23 23:41 . 2009-08-23 23:41 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-23 23:39 . 2009-08-24 03:33 185901 ----a-w- c:\windows\hpwins23.dat
2009-08-23 23:39 . 2008-10-25 09:30 1847 ------w- c:\windows\hpwmdl23.dat
2009-08-23 22:02 . 2009-09-17 03:21 -------- d-----w- c:\program files\COMODO
2009-08-23 21:50 . 2009-08-23 21:50 -------- d-----w- c:\documents and settings\Sioux\Application Data\Yahoo!
2009-08-23 21:50 . 2009-09-16 18:44 -------- d-----w- c:\documents and settings\Sioux\Application Data\HPAppData
2009-08-23 20:48 . 2009-09-17 00:29 -------- d-----w- c:\program files\Yahoo!
2009-08-23 20:44 . 2009-08-23 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-08-23 20:40 . 2009-08-23 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-08-23 20:40 . 2009-08-23 20:40 -------- d-----w- c:\windows\hpoj6500e709
2009-08-23 20:31 . 2009-08-23 20:31 -------- d-----w- c:\program files\Common Files\HP
2009-08-23 19:12 . 2009-08-23 19:12 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-08-23 19:11 . 2008-04-14 05:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-08-23 19:11 . 2008-04-14 05:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-08-23 19:11 . 2008-04-14 05:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-08-23 19:11 . 2008-04-14 05:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-08-23 19:11 . 2008-04-14 05:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 00:27 . 2009-07-18 18:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-17 00:20 . 2008-12-27 01:18 -------- d-----w- c:\program files\HP
2009-09-16 04:05 . 2009-05-25 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-07 09:40 . 2009-07-19 18:04 -------- d-----w- c:\program files\Defraggler
2009-09-07 08:04 . 2009-07-18 18:43 -------- d-----w- c:\program files\Spyware Doctor
2009-09-01 11:28 . 2009-09-01 11:28 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-31 06:56 . 2008-12-27 01:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-19 18:07 . 2009-07-19 18:07 -------- d-----w- c:\program files\VS Revo Group
2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2008-04-14 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 17:36 . 2008-12-27 01:23 75808 -c--a-w- c:\documents and settings\Sioux\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 17:09 . 2008-04-14 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-04-14 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2008-04-14 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"CiSvc"=3 (0x3)
"WSearch"=2 (0x2)
"mnmsrvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 7:00 AM 14336]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [12/26/2008 9:51 PM 182101]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;c:\windows\system32\drivers\ar5211.sys [12/26/2008 8:18 PM 468768]
S2 ACEDRV08;ACEDRV08;\??\c:\windows\system32\drivers\ACEDRV08.sys --> c:\windows\system32\drivers\ACEDRV08.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [7/12/2009 11:50 PM 1527900]
S3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [12/26/2008 9:51 PM 5689]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [7/12/2009 11:52 PM 544768]
S4 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [4/14/2008 7:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tulsaworld.com
LSP: c:\windows\system32\CEmLSP.dll
TCP: {2695AB50-0DF6-40C5-8FCE-5851F2A3A7D9} = 4.2.2.1
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-HP Solution Center & Imaging Support Tools - c:\program files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
AddRemove-{FA0F0A01-4631-4161-A6C2-948BF694382E} - c:\program files\HP\Digital Imaging\{FA0F0A01-4631-4161-A6C2-948BF694382E}\setup\hpzscr01.exe -datfile hpwscr23.dat



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-09-16 22:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(652)
c:\windows\system32\CEmLSP.dll

- - - - - - - > 'explorer.exe'(3020)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\CEmLSP.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-17 22:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-17 03:33

Pre-Run: 26,049,167,360 bytes free
Post-Run: 25,954,729,984 bytes free

228 --- E O F --- 2009-09-16 04:16

 

[Osiris]

Combofix and Malarebytes both deleted a lot of items, run them both again, combofix first then malwarebytes and post the logs so I can see if they deleted more items

 

[quester]

I disabled my anti-virus and exited Comodo prior to starting combofix. When I click "no" on the combofix prompt (for the recovery console install), nothing else happens. the program never runs.

 

[Osiris]

How about malwarebytes?

 

[quester]

new malwarebytes log:


Malwarebytes' Anti-Malware 1.41
Database version: 2814
Windows 5.1.2600 Service Pack 3

9/22/2009 9:02:05 PM
mbam-log-2009-09-22 (21-02-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 134624
Time elapsed: 40 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Osiris]

Well that came up clean. Are you still having issues?