Done! Log below. Sorry about the delayed response. Lost the phone line so internet for a couple of days there!
ComboFix 11-04-09.01 - Nico 10/04/2011 13:14:31.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3066.1657 [GMT 10:00]
Running from: c:\users\Nico\Desktop\ComboFix.exe
Command switches used :: c:\users\Nico\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Nick\AppData\Local\isb.exe
.
Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\atapi.sys
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2011-03-10 to 2011-04-10 )))))))))))))))))))))))))))))))
.
.
2011-04-10 03:27 . 2011-04-10 03:27 -------- d-----w- c:\users\Nick\AppData\Local\temp
2011-04-10 03:27 . 2011-04-10 03:27 -------- d-----w- c:\users\Kahli\AppData\Local\temp
2011-04-10 03:27 . 2011-04-10 03:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-09 23:57 . 2011-04-09 23:57 -------- d-----w- C:\$AVG
2011-04-05 13:41 . 2011-04-05 13:41 -------- d-----w- c:\users\Nick\AppData\Roaming\AVG10
2011-04-05 12:03 . 2011-04-05 12:03 -------- d-----w- c:\users\Nico\AppData\Roaming\AVG10
2011-04-05 11:56 . 2011-04-10 02:27 -------- d-----w- c:\programdata\AVG10
2011-04-05 11:50 . 2011-04-05 11:54 -------- d-----w- c:\programdata\MFAData
2011-04-04 12:50 . 2011-04-04 12:50 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
2011-04-04 09:33 . 2011-04-04 09:33 -------- d-----w- c:\users\Nico\AppData\Roaming\Malwarebytes
2011-04-04 09:32 . 2010-12-20 08:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 09:32 . 2011-04-04 09:32 -------- d-----w- c:\programdata\Malwarebytes
2011-04-04 09:32 . 2011-04-04 09:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-04 09:32 . 2010-12-20 08:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-02 01:10 . 2011-04-02 01:10 -------- d-----w- c:\program files\ERUNT
2011-04-01 01:49 . 2011-04-01 06:57 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-04-01 01:49 . 2011-04-01 01:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-30 01:28 . 2011-03-30 01:28 0 ----a-w- c:\users\Nico\AppData\Local\Bqudaheti.bin
2011-03-14 23:52 . 2011-03-14 23:52 -------- d--h--w- c:\programdata\Common Files
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"BitTorrent DNA"="c:\users\Nico\Program Files\DNA\btdna.exe" [2009-11-06 323392]
"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-12-18 4823928]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2010-05-11 3365176]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 200704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-07-04 132392]
"VolPanel"="c:\program files\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2008-12-09 237693]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"RunDLLEntry"="c:\windows\system32\AmbRunE.dll" [2008-12-17 14848]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-29 206064]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-05-07 380928]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-05-12 842816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\users\Nico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-5 752168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-5-22 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-7-31 1616976]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-5-29 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-05-21 17:14 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi9"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-23 136176]
R3 AVerBDA6x;AVerBDA6x service;c:\windows\system32\DRIVERS\AVerBDA716x.sys [2008-06-30 946048]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-05-21 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-05-21 79360]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-25 25832]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-06-29 112128]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2009-06-29 102912]
R3 KiesAllShare;SAMSUNG KiesAllShare Service;c:\program files\Samsung\Kies\WiselinkPro\WiselinkPro.exe [2010-05-04 9241088]
R3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [x]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2008-01-21 21504]
R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904]
R3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [2009-05-21 79360]
R3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\DRIVERS\sscebus.sys [2010-04-27 98560]
R3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\DRIVERS\sscemdfl.sys [2010-04-27 14848]
R3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\DRIVERS\sscemdm.sys [2010-04-27 123648]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2010-04-30 114688]
R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [2010-04-30 105856]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-30 81920]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-10-16 1668344]
S2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [2010-10-25 95568]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-05-01 217088]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-10-16 482176]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-06-16 29736]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2010-05-01 18136]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-05-01 36640]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2008-08-25 54784]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-08-25 203264]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-12-22 3662848]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2009-03-05 133632]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2009-03-08 280096]
S3 vodafone_K3805-z_dc_enum;vodafone_K3805-z_dc_enum;c:\windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys [2010-03-01 80000]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-23 13:22]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-23 13:22]
.
2011-04-10 c:\windows\Tasks\User_Feed_Synchronization-{2C51856B-4D1D-48FA-9CA5-E7AAC63B3AC1}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
2011-04-10 c:\windows\Tasks\User_Feed_Synchronization-{8D730D58-4F7E-4D86-BB66-BA7406A03946}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {D76D7126-4A96-11D3-BD95-D296DC2DD072} - hxxp://author.confirmit.com/confirm/cab/vsflex7u.cab
FF - ProfilePath - c:\users\Nico\AppData\Roaming\Mozilla\Firefox\Profiles\9seq52ff.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b86fb3d&v=6.103.018.001&i=23&tp=ab&iy=&ychte=au&lng=en-GB&q=
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Winamp Toolbar: {0b38152b-1b20-484d-a11f-5e04a9b0661f} - %profile%\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-10 13:30
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\TEMP\GURBD74.tmp 0 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6001 Disk: Hitachi_HTS543232L9A300 rev.FB4OC40C -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 625142446 (+253): user != kernel
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1485968750-1344013887-993550356-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:99,b5,bc,2a,16,9f,08,4b,52,29,b9,39,0e,5e,4b,c7,6b,ca,eb,2d,ce,6b,d7,
cd,46,7b,95,3a,f5,07,0c,81,15,1a,da,99,1a,ec,97,20,6d,72,43,8e,88,4d,ba,e8,\
"??"=hex:68,9c,79,a4,4d,82,41,1b,b8,0d,7d,14,08,af,23,bd
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4664)
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
c:\windows\system32\btmmhook.dll
c:\program files\DigitalPersona\Bin\DpoSet.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\WerCon.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\System32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehsched.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\ehome\ehRecvr.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-04-10 13:45:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-10 03:45
ComboFix2.txt 2011-04-05 09:54
.
Pre-Run: 119,232,651,264 bytes free
Post-Run: 119,009,587,200 bytes free
.
- - End Of File - - 8C1EE4A21AB8BC0D2D3F4ACD8135FC27