I think I'm almost finished :D

THis combo fix is a real pain in the ass , 3 hours lol

ComboFix 10-03-07.02 - natalie ziade 03/07/2010  22:18:59.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1014.337 [GMT 2:00]
Running from: c:\documents and settings\natalie ziade\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton AntiVirus 2005 *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HelpAssistant\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\natalie ziade\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\run.log
c:\windows\system32\Thumbs.db
c:\windows\system32\twain_32.dll

.
original MBR restored successfully !
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


(((((((((((((((((((((((((   Files Created from 2010-02-07 to 2010-03-07  )))))))))))))))))))))))))))))))
.

2010-03-07 18:05 . 2010-03-07 18:05	--------	d-----w-	c:\documents and settings\natalie ziade\Application Data\Malwarebytes
2010-03-07 18:05 . 2010-03-07 18:05	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 21:46 . 2007-10-13 01:10	--------	d-----w-	c:\program files\Common Files\Symantec Shared
2010-03-07 21:42 . 2008-09-12 17:46	--------	d-----w-	c:\program files\SpeedBit Video Accelerator
2010-03-07 21:42 . 2008-04-14 17:58	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2010-03-07 20:09 . 2010-03-07 20:10	388608	----a-w-	c:\windows\system32\CF1953.exe
2010-03-07 20:09 . 2010-03-07 20:10	388608	----a-w-	c:\windows\system32\CF1950.exe
2010-03-07 19:47 . 2008-10-03 21:22	--------	d-----w-	c:\documents and settings\natalie ziade\Application Data\mIRC
2010-03-07 19:42 . 2008-10-03 21:22	--------	d-----w-	c:\program files\mIRC
2009-12-31 16:14 . 2004-08-04 12:00	352640	----a-w-	c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00	916480	----a-w-	c:\windows\system32\wininet.dll
2009-12-16 12:58 . 2007-10-12 21:32	343040	----a-w-	c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-04 12:00	33280	----a-w-	c:\windows\system32\csrsrv.dll
2009-12-10 17:20 . 2007-10-25 23:26	55200	----a-w-	c:\documents and settings\natalie ziade\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-08 18:55 . 2004-08-04 12:00	2180352	----a-w-	c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2004-08-03 22:59	2057728	----a-w-	c:\windows\system32\ntkrnlpa.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-09-12 66912]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-09-12 17:47	66912	----a-w-	c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 11:01	1230080	----a-w-	c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-12 21741864]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-09-12 3061248]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-13 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 88363]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-13 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-13 126976]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 58984]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-10-18 100056]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-08-06 155648]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2008-09-12 2705008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"CamserviceDeluxe2"="c:\program files\Hercules\Deluxe Optical Glass\Camservice.exe" [2007-08-10 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-07-25 1067912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-12-23 569405]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 11:05	11952	----a-w-	c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Hercules\\Deluxe Optical Glass\\Station2.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/7/2009 4:45 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/7/2009 4:45 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/26/2009 10:05 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/26/2009 10:05 PM 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [9/22/2009 8:24 PM 54752]
R2 sbbotdi;sbbotdi;c:\progra~1\SPEEDB~1\sbbotdi.sys [9/12/2008 7:47 PM 35584]
S3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [11/15/2008 5:57 PM 94720]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34]

2010-03-05 c:\windows\Tasks\Norton AntiVirus - Scan my computer - natalie ziade.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-05-23 19:20]

2010-03-01 c:\windows\Tasks\WebReg Deskjet F4100 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2007-03-11 18:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\natalie ziade\Application Data\Mozilla\Firefox\Profiles\yw6cs91t.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-*{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
AddRemove-HijackThis - c:\documents and settings\natalie ziade\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 23:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?2?1?1??p???? ???B???????????????B? ?????? 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8629B270]<< 
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7620fc3
\Driver\ACPI -> 0x8629b270
\Driver\atapi -> atapi.sys @ 0xf742d7b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
 ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
 ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> 0x85e76330
 PacketIndicateHandler -> NDIS.sys @ 0xf7346b21
 SendHandler -> NDIS.sys @ 0xf733ad33
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950E4C1 
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1140)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Microsoft Office\Office10\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\AGRSMMSG.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\HPQ\shared\hpqwmi.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\progra~1\SPEEDB~1\VideoAcceleratorEngine.exe
.
**************************************************************************
.
Completion time: 2010-03-08  00:01:59 - machine was rebooted
ComboFix-quarantined-files.txt  2010-03-07 22:01
ComboFix2.txt  2009-01-25 20:27

Pre-Run: 45,979,906,048 bytes free
Post-Run: 48,354,406,400 bytes free

- - End Of File - - 5CBA0229170771DE90B9E71BA1F6D1F5
Combofix rarely take such time, it normally takes around 2 - 10 minutes.

I have noticed you have AVG and Norton installed. It is better to uninstall them from the Add/Remove Programs, before attempting to install Avira Antivir. and Don't Forget to Turn System Restore Off during your scan to allow your Antivirus to have full access to restore Points and to be able to detect and delete infected points if any.

After that install CCleaner and Clean your Temp Folders, sometimes viruses and warms sets in your Temp Folders and System Restore for regeneration even after been detected and deleted from System Files.

And I will mention it one more time "Always Scan in Safe Mode" NOT Normal Mode.

hopefully things will work ok, good luck
Thank you mate !

I used CCleaner, I must say , it is AWESOME. My pc is like 100 times faster :D


So , I think everything is fixed now ?
Today i was fixing virus (rootkit) on windows system that control huge expensive machine.
After all attempts (mcafee, kaspersky, AVG, and many other tools), i boot linux with ntfs-3g and did everything manual in 2 clicks.
Did you Installed Antivir? I think you should move on now to Download, Install, and Update the Free Antivir Anti-virus after removing your old Anti-viruses like AVG and Symantec Norton.

Then Disable System Restore, Reboot and Enter Safe Mode State, then Scan your Drives, and see the results.

Hopefully after that things will be better and the laptop will get cleaned.
sys-halt wroteDid you Installed Antivir? I think you should move on now to Download, Install, and Update the Free Antivir Anti-virus after removing your old Anti-viruses like AVG and Symantec Norton.

Then Disable System Restore, Reboot and Enter Safe Mode State, then Scan your Drives, and see the results.

Hopefully after that things will be better and the laptop will get cleaned.
Hmm, well no I haven't. I'm still unsure , I prefer buying a full version rather than downloading a 30 day trial. Are you sure it can be functional with a 30 day trial ?



( btw so far you have been very helpful , I got to thank you for the time you put up to help me , specially that you knew I was using a laptop lol )
There is a Free Version not 30 days trial, they have a Free Version functional version and you can updated. it is named "Avira Antivir Personal - Free Antivirus"

Yes, I have seen in the Process logs HP Update, so I figured that it is an HP laptop.

No need to thanks, have good time in scanning.
Padre wroteget hijackthis, run it and post the output so we might help :)
I want to learn how to read hijackthis reports. Any good tutorials you know?
weird, u got a clean hijack report. I noticed you have a proccess called explorer.EXE and not explorer.exe

Try to search for it.
patrick wroteHmm, well no I haven't. I'm still unsure , I prefer buying a full version rather than downloading a 30 day trial. Are you sure it can be functional with a 30 day trial ?
Avira is free for personal use, not trial.
It works great for me.
Is Avira better than Kaspersky Internet Security? I do not think so but I'd like to get some insight from those who experienced with both...