Make sure system restore is disabled
Then run combofix and post its log
Then run this
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!
Post your results
Downloaded and ran combofix (and this computer has never been this fast before!). Log follows:
ComboFix 09-04-14.08 - MZiemski 04/14/2009 9:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.805 [GMT -4:00]
Running from: c:\documents and settings\mziemski.NBS\My Documents\Downloads\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://lin-ptchprd-01
.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.
2009-04-03 21:18 . 2009-04-03 21:18 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\Malwarebytes
2009-04-03 21:18 . 2009-03-26 20:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 21:18 . 2009-03-26 20:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 21:18 . 2009-04-03 21:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-02 14:28 . 2009-01-09 19:19 1089593 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-04-02 14:27 . 2008-12-05 06:54 144896 -c----w c:\windows\system32\dllcache\schannel.dll
2009-04-02 14:27 . 2008-06-17 19:02 8461312 -c----w c:\windows\system32\dllcache\shell32.dll
2009-03-27 16:34 . 2009-03-27 16:34 13696 ----a-w c:\windows\system32\drivers\wpsnuio.sys
2009-03-27 16:34 . 2009-03-27 16:34 -------- d-----w c:\documents and settings\mziemski.NBS\Local Settings\Application Data\Skyhook Wireless
2009-03-27 16:33 . 2009-03-27 16:33 -------- d-----w c:\documents and settings\All Users\Application Data\GoBoingo
2009-03-18 20:53 . 2009-03-18 20:53 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\Image Zone Express
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 13:09 . 2008-11-14 19:26 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-14 13:04 . 2009-03-05 05:14 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\HPAppData
2009-04-13 20:03 . 2008-12-29 20:18 -------- d-----w c:\program files\Java
2009-04-13 12:34 . 2009-02-10 15:28 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-03 23:56 . 2009-04-03 23:56 -------- d-----w c:\program files\Trend Micro
2009-04-03 21:18 . 2009-04-03 21:18 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-03 20:22 . 2009-03-02 16:01 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\webex
2009-04-03 13:25 . 2009-02-25 21:13 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\U3
2009-03-27 16:34 . 2008-12-24 22:25 -------- d-----w c:\program files\AZZ Cardfile
2009-03-27 16:34 . 2009-03-27 16:34 -------- d-----w c:\program files\Skyhook Wireless
2009-03-27 16:33 . 2009-03-27 16:33 -------- d-----w c:\program files\Boingo
2009-03-25 17:11 . 2009-02-18 22:12 64824 ----a-w c:\documents and settings\mziemski.NBS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-23 20:16 . 2009-03-23 20:16 -------- d-----w c:\program files\MSECache
2009-03-21 16:44 . 2009-02-15 02:41 -------- d-----w c:\program files\TurboTax
2009-03-19 22:15 . 2009-03-19 22:15 -------- d-----w c:\program files\Nitro PDF
2009-03-19 22:15 . 2009-03-19 22:15 -------- d-----w c:\program files\Common Files\Nitro PDF
2009-03-09 09:19 . 2008-12-31 00:26 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-05 04:39 . 2009-03-05 04:39 -------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2009-03-05 04:37 . 2009-03-05 04:07 166360 ----a-w c:\windows\hpoins28.dat
2009-03-05 04:23 . 2009-03-05 04:23 -------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-03-05 04:20 . 2008-11-21 21:30 -------- d-----w c:\program files\HP
2009-03-05 04:17 . 2008-11-21 21:36 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-05 04:16 . 2009-03-05 04:16 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-03-05 04:16 . 2008-11-21 21:32 -------- d-----w c:\program files\Hewlett-Packard
2009-03-04 20:43 . 2009-03-04 20:43 508200 ----a-w c:\windows\system32\ICCProfiles.dll
2009-03-02 15:51 . 2008-11-21 21:37 50120 ----a-w C:\mombi.log
2009-02-22 23:08 . 2009-02-22 23:08 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\InstallShield
2009-02-22 22:03 . 2009-02-22 18:17 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\Intuit
2009-02-22 15:41 . 2009-02-22 14:57 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\PersonalBrain
2009-02-22 15:38 . 2008-11-20 23:59 -------- d-----w c:\program files\PersonalBrain
2009-02-22 14:59 . 2009-02-22 14:59 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\Windows Search
2009-02-22 14:23 . 2008-11-21 03:26 3411070 ----a-w C:\HuskyInstallerLog.txt
2009-02-22 14:20 . 2008-11-21 03:26 -------- d-----w c:\program files\palmOne
2009-02-22 04:58 . 2009-02-22 04:58 -------- d-----w c:\program files\MSBuild
2009-02-22 04:58 . 2009-02-22 04:58 -------- d-----w c:\program files\Reference Assemblies
2009-02-22 04:46 . 2008-11-21 04:29 -------- d-----w c:\program files\Microsoft SQL Server
2009-02-21 23:09 . 2009-02-17 22:13 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\HP
2009-02-19 21:09 . 2009-02-19 21:09 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-18 00:08 . 2009-02-18 00:08 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\GraphOn
2009-02-18 00:06 . 2009-02-18 00:06 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\Research In Motion
2009-02-17 23:23 . 2009-02-17 23:23 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\Nitro PDF
2009-02-17 23:22 . 2009-02-17 23:22 -------- d-----w c:\program files\Verizon Wireless
2009-02-17 22:13 . 2009-02-17 22:13 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\Windows Desktop Search
2009-02-17 22:13 . 2009-02-17 22:13 -------- d-----w c:\documents and settings\mziemski.NBS\Application Data\HotSync
2009-02-15 02:53 . 2008-11-14 20:11 60936 ----a-r c:\documents and settings\mziemski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-15 02:53 . 2008-11-23 18:39 -------- d-----w c:\documents and settings\mziemski\Application Data\Intuit
2009-02-15 02:53 . 2009-02-15 02:53 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-02-15 02:50 . 2008-11-23 18:39 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-02-15 02:50 . 2008-11-21 04:34 -------- d-----w c:\program files\Common Files\Intuit
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2009-03-04 209216]
"Boingo Wi-Fi"="c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk" [2009-04-13 2179]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-11-14 1537064]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\
0\
0]
"Script"=\\nbs.nelnet.biz\SysVol\nbs.nelnet.biz\scripts\inventory.bat
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
R3 apusbsnt;Sierra Wireless USB Modem Device Driver;c:\windows\system32\DRIVERS\apusbsnt.sys [2003-12-09 40064]
R3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 NeatReceipts Database Controller;NeatReceipts Database Controller;c:\program files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe [2008-02-05 228480]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Nitro PDF Professional]
cscript //B "c:\program files\Nitro PDF\Professional\RemoveOldAddins.vbs"
.
Contents of the 'Scheduled Tasks' folder
2009-04-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-10 13:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.nelnet.info
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - hxxp://10.126.0.198/download/dolcontrol.cab
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-04-14 09:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1140)
c:\windows\system32\Ati2evxx.dll
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-04-14 13:16
Pre-Run: 16,915,333,120 bytes free
Post-Run: 17,776,488,448 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
185 --- E O F --- 2009-04-02 23:12