OK, Thanks! Here is my Combofix log. Others to follow -
ComboFix 11-04-19.06 - user 20/04/2011 16:22:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3070.2734 [GMT 1:00]
Running from: e:\newantivirus\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\Application Data\Adobe\plugs
c:\documents and settings\user\Application Data\Adobe\shed
c:\documents and settings\user\Application Data\Meol
c:\documents and settings\user\Application Data\Meol\osta.oqx
c:\documents and settings\user\WINDOWS
C:\Install.exe
C:\RECYCLER(2)
c:\recycler(2)\S-1-5-21-725345543-507921405-839522115-1004(2)\INFO2
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-03-20 to 2011-04-20 )))))))))))))))))))))))))))))))
.
.
2011-04-20 15:15 . 2011-04-20 15:15 -------- d-----w- C:\32788R22FWJFW
2011-04-20 14:07 . 2011-04-20 14:25 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-20 14:07 . 2011-04-20 14:25 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-20 14:07 . 2011-04-20 14:25 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-20 14:01 . 2011-04-20 14:01 173419 ----a-w- c:\windows\Explorermgr.exe
2011-04-20 14:00 . 2011-04-20 14:00 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 14:00 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\{9100749F-A31F-45BA-8670-14EB46DBDE69}
2011-04-20 13:59 . 2011-04-20 13:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2011-04-20 13:48 . 2011-04-20 13:48 -------- d-----w- c:\program files\Lavasoft
2011-04-20 13:47 . 2011-04-20 13:47 -------- d-----w- C:\dfc03690a81b4c87b0a421b7001c2f5e
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\documents and settings\user\Application Data\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\GIMP-2.0
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\Safari
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\AdventureSoft
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- C:\AeriaGames
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\Veoh Networks
2011-04-20 13:23 . 2011-04-20 13:23 -------- d-----w- c:\documents and settings\LocalService\IETldCache
2011-04-20 13:23 . 2011-04-20 13:23 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2011-04-20 13:21 . 2011-04-20 13:21 -------- d-----w- c:\documents and settings\user\PrivacIE
2011-04-20 13:20 . 2011-04-20 13:20 -------- d-----w- c:\documents and settings\user\IETldCache
2011-04-20 13:12 . 2011-04-20 13:27 -------- dc----w- c:\windows\ie8
2011-04-20 12:46 . 2011-04-20 13:30 -------- dc----w- c:\documents and settings\All Users\Application Data\{6A395471-4AA3-4072-AE1B-9B69A97AD164}(2)
2011-04-12 21:44 . 2011-04-17 01:15 -------- d-----w- C:\MGTools
2011-04-12 21:05 . 2011-04-12 21:06 -------- d-----w- c:\program files\UnHackMe
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\program files\IObit
2011-04-12 19:52 . 2011-04-17 01:31 -------- d-----w- c:\program files\rikoofph
2011-04-12 19:52 . 2011-04-12 19:52 173419 ----a-w- c:\windows\system32\null0.4895023822266785.exe
2011-04-12 19:44 . 2011-04-12 19:44 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2011-04-12 19:44 . 2011-04-12 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-12 19:43 . 2011-04-20 13:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-12 19:28 . 2011-04-12 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-12 19:28 . 2011-04-12 19:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-12 19:04 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-12 19:04 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-05 12:18 . 2011-04-05 12:18 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-04-05 12:18 . 2005-10-14 21:42 46592 ----a-w- c:\windows\system32\hpzll43a.dll
2011-04-05 12:18 . 2005-10-14 21:41 72192 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp43a.dll
2011-04-05 12:07 . 2008-04-13 16:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-04-05 12:07 . 2008-04-13 16:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-02 23:46 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\Administrator
2011-04-02 23:40 . 2011-04-02 23:40 331010 ----a-w- c:\windows\system32\null0.01046472694286249.exe
2011-04-02 23:40 . 2011-04-02 23:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-01 20:59 . 2011-04-01 20:59 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-04-01 17:13 . 2011-04-01 17:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-01 15:50 . 2011-04-12 09:30 0 ----a-w- c:\windows\Fbimoyowoh.bin
2011-03-31 10:15 . 2011-03-31 10:16 -------- d-----w- c:\documents and settings\user\Application Data\gtk-2.0
2011-03-31 10:15 . 2011-03-31 10:15 -------- d-----w- c:\documents and settings\user\.thumbnails
2011-03-31 10:11 . 2011-03-31 10:16 -------- d-----w- c:\documents and settings\user\.gimp-2.6
2011-03-31 09:04 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\user\Application Data\mIRC
2011-03-31 09:04 . 2011-04-20 14:00 -------- d-----w- c:\program files\mIRC
2011-03-30 19:40 . 2011-04-20 13:29 -------- d-----w- c:\program files\Pixia
2011-03-30 19:09 . 2011-03-30 19:40 -------- d-----w- c:\program files\Photobie
2011-03-29 20:12 . 2011-03-29 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ConeXware
2011-03-29 20:12 . 2011-04-20 14:42 -------- d-----w- c:\program files\PowerArchiver
2011-03-27 21:25 . 2011-03-27 21:26 -------- d-----w- c:\program files\iTunes
2011-03-27 21:25 . 2011-03-27 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-13 23:25 . 2011-03-13 23:25 256 ----a-w- c:\documents and settings\user\pool.bin
2011-02-18 15:36 . 2009-11-04 18:53 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 15:36 . 2009-11-04 18:53 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-04-20 14:25 . 2011-04-20 14:07 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-30 1654784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 598430]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 254439]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 03:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-04 18:25 323392 ----a-w- c:\program files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gjeharobif]
c:\windows\usenatuqicacepe.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 14:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k70ccreloc.exe]
c:\documents and settings\user\Application Data\B0A33B1579575DDB22426ADB99D36004\k70ccreloc.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-05-01 01:30 13750272 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-05-01 01:30 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-05-01 01:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 598430 ------w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-05 17:35 17879552 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-03-16 22:24 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tukdtjsr]
c:\windows\system32\tukdtjsr.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tukdtjsrx]
c:\windows\system32\tukdtjsrx.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-10-27 19:46 2075896 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"nlsX86cc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IS360service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [04/11/2009 19:01 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [01/04/2011 08:22 1181328]
S4 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/04/2011 21:18 312152]
S4 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [20/10/2010 18:41 67904]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-01 00:01]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\t48c9v8k.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter:
jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Rikaichan: {0AA9101C-D3C1-4129-A9B7-D778C6A17F82} - %profile%\extensions\{0AA9101C-D3C1-4129-A9B7-D778C6A17F82}
FF - Ext: Japanese-English Dictionary for rikaichan: {6D898772-AD34-4c16-86BB-9DE787A5DEA0} - %profile%\extensions\{6D898772-AD34-4c16-86BB-9DE787A5DEA0}
FF - Ext: Rikaichan Japanese-English Dictionary File:
rikaichan-jpen@polarcloud.com - %profile%\extensions\rikaichan-jpen@polarcloud.com
FF - Ext: British English Dictionary:
en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-20 16:28
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\user\Start Menu\Programs\Startup\apndaole.exe 173419 bytes executable
c:\documents and settings\user\Start Menu\Programs\Startup\desktop.ini 84 bytes
C:\apndaole.exe 173419 bytes executable
.
scan completed successfully
hidden files: 3
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-04-20 16:29:49
ComboFix-quarantined-files.txt 2011-04-20 15:29
ComboFix2.txt 2011-04-17 01:29
ComboFix3.txt 2011-04-12 22:01
.
Pre-Run: 572,476,530,688 bytes free
Post-Run: 573,901,295,616 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - D4FF47C6576E73B53B8CB02F87E3F9FD