TomK: Thanks again. Here is the new log:
ComboFix 09-11-18.06 - Fazela 11/18/2009 18:03.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.481 [GMT -5:00]
Running from: c:\documents and settings\Fazela\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Fazela\Desktop\cfscript.txt
.
((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.
2009-11-18 23:17 . 2009-08-01 16:16 6256600 ---ha-w- c:\documents and settings\Fazela\Application Data\mjusbsp\in00000\setup.exe
2009-11-18 23:17 . 2009-08-01 16:12 728600 ---ha-w- c:\documents and settings\Fazela\Application Data\mjusbsp\ar00000\install.exe
2009-11-18 23:17 . 2008-02-29 12:42 386496 ----a-w- c:\documents and settings\Fazela\Application Data\mjusbsp\ar00000\magicJackSplash.exe
2009-11-18 22:42 . 2009-11-18 22:42 -------- d-s---w- c:\windows\Cookies
2009-11-18 22:18 . 2004-08-03 20:59 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-18 22:18 . 2004-08-03 20:59 95360 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-14 13:27 . 2009-11-14 13:36 -------- d-----w- C:\All.In.The.Family.Season3.E17-19.DVDrip.Ac3.XviD
2009-11-14 13:10 . 2009-11-14 13:15 -------- d-----w- C:\gmer
2009-11-13 19:57 . 2009-11-13 19:57 -------- d-----w- C:\All.In.The.Family.Season3.E09-16.DVDrip.Ac3.XviD
2009-11-13 19:53 . 2009-11-15 17:34 -------- d-----w- C:\All.In.The.Family.Season3.E01-08.DVDrip.Ac3.XviD
2009-11-09 11:25 . 2009-11-09 11:25 -------- d-----w- C:\Rooter$
2009-11-08 19:06 . 2009-11-08 19:44 -------- d-----w- c:\program files\DVDFab 5
2009-11-08 18:58 . 2009-11-08 19:04 -------- d-----w- C:\DVDFab.Platinum.v5.2.5.0
2009-11-08 18:54 . 2009-11-08 18:56 -------- d-----w- C:\dvdfab
2009-11-08 17:53 . 2009-11-08 17:55 -------- d-----w- C:\Slysoft CloneDVD2 V2.9.1.9(KNIGHTY1973)
2009-11-04 23:15 . 2009-11-04 23:15 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-03 11:29 . 2009-11-03 11:50 -------- d-----w- C:\Kaaba
2009-10-23 16:42 . 2009-10-30 20:44 -------- d-----w- C:\All In The Family S06 Episodes 13 - 24 (of 24)
2009-10-23 16:39 . 2009-11-08 14:20 -------- d-----w- C:\All In The Family S06 Episodes 1 - 12 (of 24)
2009-10-22 13:46 . 2009-10-22 13:46 -------- d-----w- c:\documents and settings\Fazela\Application Data\Sony Corporation
2009-10-22 13:35 . 2009-10-22 13:35 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-10-22 13:34 . 2009-10-22 13:43 -------- d-----w- c:\documents and settings\Fazela\Local Settings\Application Data\Downloaded Installations
2009-10-22 13:31 . 2009-10-22 13:31 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-10-21 22:29 . 2009-10-23 12:14 -------- d-----w- C:\All In The Family S05 Episodes 13 - 24 (of 24)
2009-10-21 22:27 . 2009-11-03 02:30 -------- d-----w- C:\All In The Family S05 Episodes 1 - 12 (of 24)
2009-10-21 06:27 . 2009-10-21 20:35 -------- d-----w- C:\All.In.The.Family.S3.E22-24
2009-10-20 10:51 . 2009-10-20 10:51 -------- d-----w- c:\documents and settings\Fazela\Application Data\CursorArts
2009-10-20 10:51 . 2009-10-20 15:33 -------- d-----w- c:\program files\ActivIcons
2009-10-20 10:48 . 2009-10-20 10:49 -------- d-----w- C:\ActivIcons
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-18 23:18 . 2009-01-16 21:39 -------- d-----w- c:\documents and settings\Fazela\Application Data\mjusbsp
2009-11-18 22:05 . 2009-10-17 00:18 -------- d-----w- c:\documents and settings\Fazela\Application Data\vlc
2009-11-17 23:47 . 2007-07-24 17:11 -------- d-----w- c:\documents and settings\Fazela\Application Data\uTorrent
2009-11-10 02:55 . 2008-09-06 22:41 -------- d-----w- c:\program files\Symantec
2009-11-10 01:35 . 2008-10-21 04:01 -------- d-----w- c:\documents and settings\Fazela\Application Data\Skype
2009-11-10 01:01 . 2008-10-21 04:13 -------- d-----w- c:\documents and settings\Fazela\Application Data\skypePM
2009-11-08 19:41 . 2009-02-28 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-11-08 19:06 . 2009-02-27 23:47 -------- d-----w- c:\documents and settings\Fazela\Application Data\Vso
2009-11-08 19:06 . 2009-02-27 23:47 47360 -c--a-w- c:\documents and settings\Fazela\Application Data\pcouffin.sys
2009-11-08 19:06 . 2009-02-27 23:47 47360 -c--a-w- c:\documents and settings\Fazela\Application Data\pcouffin.sys
2009-11-08 19:06 . 2009-02-27 23:47 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-11-07 12:56 . 2007-10-11 20:44 -------- d-----w- c:\program files\Softwin
2009-11-07 12:56 . 2007-10-09 15:49 -------- d-----w- c:\program files\Common Files\Softwin
2009-10-25 23:14 . 2009-09-13 14:52 117760 ----a-w- c:\documents and settings\Fazela\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-25 12:57 . 2009-08-11 02:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-20 00:24 . 2008-10-21 02:51 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-13 14:09 . 2009-10-12 18:07 -------- d-----w- c:\program files\Broadcom
2009-10-13 01:17 . 2006-12-14 13:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-12 18:05 . 2009-10-12 18:05 -------- d-----w- c:\program files\Analog Devices
2009-10-12 15:36 . 2006-12-14 00:26 24724 -c--a-w- c:\windows\system32\emptyregdb.dat
2009-10-12 15:36 . 2006-12-14 00:25 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-09 12:28 . 2009-10-05 16:28 2081048 ----a-w- c:\windows\system32\AutoPartNt.exe
2009-10-06 18:38 . 2009-09-13 14:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-05 18:30 . 2008-09-06 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-05 18:27 . 2008-10-21 05:11 -------- d-----w- c:\program files\Norton Ghost
2009-10-04 07:34 . 2008-10-22 18:51 -------- d-----w- c:\program files\Common Files\Acronis
2009-10-04 07:33 . 2009-10-04 07:33 902592 ----a-w- c:\windows\system32\drivers\tdrpm228.sys
2009-10-04 07:32 . 2008-10-22 18:52 540000 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-10-04 07:32 . 2008-10-22 18:52 44704 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-10-04 07:32 . 2008-10-22 18:52 138208 -c--a-w- c:\windows\system32\drivers\snapman.sys
2009-09-30 12:28 . 2009-03-13 21:12 -------- d-----w- c:\program files\ThreatFire
2009-09-29 10:27 . 2007-01-03 21:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-23 14:07 . 2009-09-23 13:44 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-23 14:07 . 2009-09-23 13:44 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-23 14:07 . 2009-09-23 13:44 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-09-23 12:22 . 2009-09-23 12:20 -------- d-----w- c:\program files\Panasonic
2009-09-22 10:38 . 2009-05-30 22:46 -------- d-----w- c:\documents and settings\Fazela\Application Data\dvdcss
2009-09-16 14:21 . 2006-12-17 14:22 33176 -c--a-w- c:\documents and settings\Fazela\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 03:34 . 2008-10-07 16:39 4045528 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-10 19:54 . 2008-10-07 16:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-10-07 16:38 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 14:36 . 2009-09-04 14:36 0 ----a-w- c:\windows\system32\cd.dat
2008-10-08 23:40 . 2008-10-08 23:38 50689960 -c--a-w- c:\program files\avg_free_stf_en_8_173a1373.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-11-09_03.49.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-18 23:17 . 2009-11-18 23:17 16384 c:\windows\temp\Perflib_Perfdata_f3c.dat
+ 2009-11-18 23:17 . 2009-11-18 23:17 16384 c:\windows\temp\Perflib_Perfdata_580.dat
+ 2009-11-18 23:17 . 2009-11-18 23:17 16384 c:\windows\temp\Perflib_Perfdata_100.dat
+ 2009-11-18 22:42 . 2009-11-18 22:35 16384 c:\windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-06-20 19:08 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"cdloader"="c:\documents and settings\Fazela\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-14 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-11 282624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCANetwork"= 0 (0x0)
"HideSCAVolume"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Enable Labtec Wireless Desktop.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Enable Labtec Wireless Desktop.lnk
backup=c:\windows\pss\Enable Labtec Wireless Desktop.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=
"c:\\Documents and Settings\\Fazela\\Application Data\\mjusbsp\\magicJack.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"57124:TCP"= 57124:TCP:Pando Media Booster
"57124:UDP"= 57124:UDP:Pando Media Booster
"57479:TCP"= 57479:TCP:Pando Media Booster
"57479:UDP"= 57479:UDP:Pando Media Booster
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [5/20/2008 9:32 AM 15328]
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [10/4/2009 2:33 AM 902592]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/23/2009 8:44 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/23/2009 8:44 AM 59664]
R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [9/14/2008 3:44 PM 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [9/14/2008 3:44 PM 5248]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [12/14/2006 8:40 AM 12964]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 1:50 PM 9968]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\macrium reflect free\ReflectService.exe [8/6/2008 12:34 PM 216032]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/23/2009 8:44 AM 33552]
S1 SASKUTIL;SASKUTIL;\??\c:\superantispyware\SASKUTIL.sys --> c:\superantispyware\SASKUTIL.sys [?]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [9/23/2009 7:20 AM 17432]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [7/8/2008 1:39 PM 31712]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 1:50 PM 7408]
--- Other Services/Drivers In Memory ---
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netscape.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?e4b23bd0b5ec4cd1a429ca8bc7552c68
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?e4b23bd0b5ec4cd1a429ca8bc7552c68
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072}
FF - ProfilePath - c:\documents and settings\Fazela\Application Data\Mozilla\Firefox\Profiles\75umymae.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-11-18 18:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D19770]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf770ff10
\Driver\ACPI -> ACPI.sys @ 0xf7682cb8
\Driver\atapi -> 0x86d19770
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e19a
ParseProcedure -> ntoskrnl.exe @ 0x8057c74d
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e19a
ParseProcedure -> ntoskrnl.exe @ 0x8057c74d
NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf7390ba0
PacketIndicateHandler -> NDIS.sys @ 0xf739db21
SendHandler -> NDIS.sys @ 0xf737b87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1000)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
- - - - - - - > 'lsass.exe'(1056)
c:\program files\ThreatFire\TFWAH.dll
- - - - - - - > 'explorer.exe'(1992)
c:\program files\ThreatFire\TfWah.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\Shellex.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\ThreatFire\TFService.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\Fazela\Application Data\mjusbsp\magicJack.exe
.
**************************************************************************
.
Completion time: 2009-11-18 18:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-18 23:26
ComboFix2.txt 2009-11-18 22:42
ComboFix3.txt 2009-11-11 23:08
ComboFix4.txt 2009-11-10 03:06
ComboFix5.txt 2009-11-18 23:00
Pre-Run: 353,664,356,352 bytes free
Post-Run: 353,605,791,744 bytes free
Current=4 Default=4 Failed=0 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - 29B0120572D7A41D46E7B8156AA4D752