Alright, F-Secure declared it clean, and I burned the disk as suggested, then ran Combofix. Combofix immediately found a number of problems, and while it was running, F-Secure came to life announcing it had found one too. Tried unsuccessfully to let Combofix download and install the "Windows Recovery Console", but it said the machine was not connected to the internet. (it is). I let Combofix finish running, then tried internet again, and now I am here on her machine. Will post the Combofix log, and I suppose I should run Combofix again to try and get the "Windows Recovery Console" installed. Comments on that ?
Combofix Log
ComboFix 11-05-06.03 - user 07/05/2011 2:58.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.2.1033.18.2047.1612 [GMT -4:00]
Running from: d:\utilities\ComboFix\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\WINDOWS
c:\program files\INSTALL.LOG
C:\Thumbs.db
c:\windows\start.exe
c:\windows\system32\Thumbs.db
c:\windows\Web\default.htt
.
.
c:\windows\system32\qmgr.dll . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-04-07 to 2011-05-07 )))))))))))))))))))))))))))))))
.
.
2011-05-05 02:44 . 2011-05-05 02:44 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-05-05 02:43 . 2011-05-05 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-05 02:43 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 02:43 . 2010-12-20 22:08 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-19 16:36 . 2011-04-19 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin Games
2011-04-19 16:11 . 2011-04-19 16:36 -------- d--h--w- c:\documents and settings\user\Application Data\iWin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-04-01 02:17 . 2007-12-14 07:44 40960 ------w- c:\program files\Uninstall_CDS.exe
.
.
------- Sigcheck -------
.
.
.
[-] 2004-07-09 08:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\SYSTEM32\d3d9.dll
.
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2002-08-29 06:41 8336384 ----a-w- c:\windows\SYSTEM32\shell32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-25 344064]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 191488]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2005-10-26 122929]
"F-Secure TNB"="c:\program files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 684032]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-25 32768]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
emesene.lnk - c:\program files\emesene\emesene.exe [2010-7-20 67584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-11-25 32768]
F-Secure Automatic Update.lnk - c:\program files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2010-9-3 32807]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Reboot.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Disabled Startup Items\Reboot.exe
backup=c:\windows\pss\Reboot.exeStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2004-11-25 04:27 32768 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-29 06:41 1511453 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfagent]
2005-04-23 05:34 329216 ---ha-w- d:\utilities\Registry First Aid\RFA\rfagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-08-23 16:00 3072 ----a-w- c:\windows\SYSTEM32\systray.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NOMAD Detector"="c:\program files\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE"
"PowerBar"=
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Tweak UI"=RUNDLL32.EXE c:\windows\SYSTEM32\TWEAKUI.CPL,TweakMeUp
"AHQInit"=c:\program files\Creative\SBLive\Program\AHQInit.exe
"AudioHQ"=c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE
"CTAVTray"=c:\program files\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
"Creative Launcher"=c:\program files\Creative\SBLive\Launcher\CTLauncher.exe
"rfagent"=d:\utilities\REGISTRY FIRST AID\RFA\rfagent.exe
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"Disc Detector"=c:\program files\Creative\ShareDLL\CtNotify.exe
"devldr16.exe"=c:\windows\SYSTEM32\DEVLDR16.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NPROTECT"=d:\utilities\Norton\N Utilities 2000\Norton Utilities\NPROTECT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"KB891711"=c:\windows\SYSTEM\KB891711\KB891711.EXE
"ATIPOLL"=ati2evxx.exe
"DkService"=d:\utilities\Disk Keeper\DkService.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\F-Secure\\BackWeb\\7681197\\Program\\F-Secure Automatic Update.exe"= c:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe
.
R0 FSFW;F-Secure Firewall Driver;c:\windows\SYSTEM32\DRIVERS\fsdfw.sys [03/09/2010 10:54 PM 70896]
R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;c:\progra~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [03/09/2010 10:54 PM 32807]
R2 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\FSfilter.sys [03/09/2010 10:54 PM 48816]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\win2k\fsgk.sys [03/09/2010 10:54 PM 48256]
R2 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\FSrec.sys [03/09/2010 10:54 PM 16720]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2002-08-29 06:41 67584 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2002-08-29 06:41 67584 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2002-08-29 06:41 67584 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2002-08-29 06:41 67584 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17 7168 ----a-w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mLocal Page = c:\windows\SYSTEM\blank.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
DPF: Win32 Classes
.
.
------- File Associations -------
.
inifile=c:\windows\NOTEPAD.EXE %1
txtfile=c:\windows\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Norton Utilities - d:\utilities\Norton\N Utilities 2000\Norton Utilities\Uninst.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-05-07 03:10
Windows 5.1.2600 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A???????B???@???@?? C???????@?????????@?B???A???????A?p?????B???@?????P?????@? ???????U\?w??????????@???????????????????B?????|?????????????????????????????B
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(396)
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(452)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(3684)
c:\docume~1\user\LOCALS~1\Temp\IadHide5.dll
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure\Anti-Virus\FSGK32.EXE
c:\program files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
c:\program files\F-Secure\Common\FSMA32.EXE
c:\program files\F-Secure\Common\FSMB32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\F-Secure\Anti-Virus\fssm32.exe
c:\program files\F-Secure\Common\FCH32.EXE
c:\program files\F-Secure\Common\FAMEH32.EXE
c:\program files\F-Secure\Anti-Virus\fsqh.exe
c:\program files\F-Secure\Anti-Virus\fsrw.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\F-Secure\Common\FNRB32.EXE
c:\program files\F-Secure\FWES\Program\fsdfwd.exe
c:\program files\F-Secure\Common\FIH32.EXE
c:\windows\System32\wbem\wmiapsrv.exe
c:\windows\System32\devldr32.exe
c:\program files\CREATIVE\SHAREDLL\MEDIADET.EXE
c:\program files\F-Secure\Anti-Virus\fsav32.exe
c:\progra~1\F-Secure\ANTI-S~1\fsaw.exe
c:\program files\F-Secure\FSGUI\fsguidll.exe
.
**************************************************************************
.
Completion time: 2011-05-07 03:16:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-07 07:16
.
Pre-Run: 9,903,866,368 bytes free
Post-Run: 10,469,318,144 bytes free
.
- - End Of File - - EB1EFDD1A290DEBC909BAA98FDEE7A70