combobox removed something

by review_monster - 7/21/09 1:52 PM

i hi just formated my computer and installed windows xp pro and after a few driver installations and sp3 donwload i noticed that my hard-drive became very active and i would get lags sometimes. I scanned my whole pc with avira - nothing. scanned with malwarebytes and nothing. i installed and ran combobox and it removed some files but it never explained what it was. can some1 tell me if my computer was infact infected? thanks.

ComboFix 09-07-20.05 - Ali 21/07/2009 16:45.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2897 [GMT -4:00]
Running from: d:\documents and settings\Ali\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\2c225d.msi
d:\windows\system32\d3d10core.dll
d:\windows\system32\Data
d:\windows\system32\kernel32new.dll
d:\windows\system32\msvcrtnew.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-21 to 2009-07-21 )))))))))))))))))))))))))))))))
.

2009-07-21 20:42 . 2008-03-09 11:25 236 ----a-w- d:\program files\Common Files\dx.reg
2009-07-21 20:39 . 2009-07-21 20:39 -------- d-----w- d:\documents and settings\Ali\Application Data\Malwarebytes
2009-07-21 20:39 . 2009-07-13 17:36 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-07-21 20:39 . 2009-07-21 20:39 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-21 20:39 . 2009-07-13 17:36 19096 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-07-21 20:21 . 2009-07-21 20:34 -------- d--h--w- d:\windows\$hf_mig$
2009-07-21 20:21 . 2009-07-21 20:21 -------- d-----w- d:\windows\LastGood
2009-07-21 20:19 . 2009-07-21 20:44 -------- d-----w- d:\documents and settings\Ali\Application Data\Skype
2009-07-21 20:16 . 2009-07-21 20:16 -------- d-----w- d:\documents and settings\LocalService\Application Data\SACore
2009-07-21 20:16 . 2009-07-21 20:16 -------- d-----w- d:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-21 20:15 . 2009-07-21 20:15 -------- d-----w- d:\program files\Common Files\McAfee
2009-07-21 20:15 . 2009-07-21 20:18 -------- d-----w- d:\program files\McAfee
2009-07-21 20:15 . 2009-07-21 20:15 -------- d-----w- d:\documents and settings\All Users\Application Data\McAfee
2009-07-21 20:12 . 2009-07-21 20:12 -------- d-----w- d:\program files\Common Files\Adobe
2009-07-21 20:11 . 2009-07-21 20:11 -------- d-----w- d:\program files\NeoSmart Technologies
2009-07-21 20:11 . 2009-07-21 20:11 65250 ----a-w- d:\windows\BricoPackUninst.cmd
2009-07-21 20:10 . 2009-07-21 20:11 6110 ----a-w- d:\windows\BricoPackFoldersDelete.cmd
2009-07-21 20:10 . 2009-07-21 20:10 -------- d-----w- d:\windows\BricoPacks
2009-07-21 20:09 . 2009-07-21 20:09 -------- d-----w- d:\documents and settings\Ali\Application Data\Apple Computer
2009-07-21 20:07 . 2009-07-21 20:07 -------- d-----w- d:\documents and settings\All Users\Application Data\TEMP
2009-07-21 20:04 . 2009-07-21 20:14 -------- d-----w- d:\program files\NOS
2009-07-21 20:04 . 2009-07-21 20:14 -------- d-----w- d:\documents and settings\All Users\Application Data\NOS
2009-07-21 19:57 . 2009-07-21 19:57 664 ----a-w- d:\windows\system32\d3d9caps.dat
2009-07-21 19:56 . 2003-06-18 21:31 17920 ----a-w- d:\windows\system32\mdimon.dll
2009-07-21 19:55 . 2008-10-16 18:09 43544 ----a-w- d:\windows\system32\wups2.dll
2009-07-21 19:55 . 2009-07-21 19:55 -------- d-----w- d:\program files\Common Files\L&H
2009-07-21 19:55 . 2009-07-21 19:55 -------- d-----w- d:\program files\Microsoft.NET
2009-07-21 19:55 . 2009-07-21 19:55 -------- d-----w- d:\program files\Microsoft ActiveSync
2009-07-21 19:55 . 2009-07-21 19:55 -------- d-----w- d:\program files\Microsoft Works
2009-07-21 19:55 . 2009-07-21 19:55 -------- d-----w- d:\windows\SHELLNEW
2009-07-21 19:51 . 2009-07-21 19:51 -------- d-----w- d:\program files\uTorrent
2009-07-21 19:51 . 2009-07-21 19:51 -------- d-----w- d:\documents and settings\Ali\Application Data\uTorrent
2009-07-21 19:46 . 2009-07-21 19:46 0 ----a-w- d:\windows\nsreg.dat
2009-07-21 19:46 . 2009-07-21 19:46 -------- d-----w- d:\documents and settings\Ali\Local Settings\Application Data\Mozilla
2009-07-21 19:45 . 2009-07-21 19:45 -------- d-----w- d:\windows\system32\AGEIA
2009-07-21 19:45 . 2009-07-21 19:45 -------- d-----w- d:\program files\AGEIA Technologies
2009-07-21 19:45 . 2009-07-21 19:45 -------- d-----w- d:\program files\Common Files\Wise Installation Wizard
2009-07-21 19:44 . 2009-07-21 19:44 -------- d-----w- d:\windows\nview
2009-07-21 19:44 . 2009-01-15 12:19 453152 ----a-w- d:\windows\system32\nvudisp.exe
2009-07-21 19:44 . 2009-01-07 15:28 453152 ----a-w- d:\windows\system32\NVUNINST.EXE
2009-07-21 19:37 . 2009-07-21 19:37 -------- d-s---w- d:\documents and settings\Ali\UserData
2009-07-21 19:36 . 2009-07-21 19:36 -------- d--h--w- d:\windows\PIF
2009-07-21 19:35 . 2009-07-21 19:39 -------- d--h--w- d:\windows\system32\GroupPolicy
2009-07-21 19:33 . 2009-03-30 14:33 96104 ----a-w- d:\windows\system32\drivers\avipbb.sys
2009-07-21 19:33 . 2009-03-24 20:08 55640 ----a-w- d:\windows\system32\drivers\avgntflt.sys
2009-07-21 19:33 . 2009-02-13 16:29 22360 ----a-w- d:\windows\system32\drivers\avgntmgr.sys
2009-07-21 19:33 . 2009-02-13 16:17 45416 ----a-w- d:\windows\system32\drivers\avgntdd.sys
2009-07-21 19:33 . 2009-07-21 19:33 -------- d-----w- d:\program files\Avira
2009-07-21 19:33 . 2009-07-21 19:33 -------- d-----w- d:\documents and settings\All Users\Application Data\Avira
2009-07-21 19:28 . 2009-07-21 19:28 13104 ----a-w- d:\documents and settings\Ali\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-21 19:28 . 2009-07-21 19:55 -------- d-----w- d:\windows\system32\wbem\AutoRecover
2009-07-21 19:27 . 2009-07-21 19:27 -------- d-s---w- d:\windows\system32\Microsoft
2009-07-21 19:24 . 2009-07-21 19:24 -------- d-----w- d:\windows\ServicePackFiles
2009-07-21 19:23 . 2009-07-21 19:23 -------- d-----w- d:\windows\EHome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-21 20:42 . 2009-07-21 20:42 2905 ----a-w- d:\windows\system32\unins000.dat
2009-07-21 20:42 . 2009-07-21 20:42 716153 ----a-w- d:\windows\system32\unins000.exe
2009-07-21 20:11 . 2002-08-29 01:41 218624 ----a-w- d:\windows\system32\uxtheme.dll
2009-07-21 20:09 . 2009-07-21 20:09 -------- d-----w- d:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-21 20:09 . 2009-07-21 20:09 -------- d-----w- d:\program files\iPod
2009-07-21 20:09 . 2009-07-21 20:08 -------- d-----w- d:\program files\Common Files\Apple
2009-07-21 20:09 . 2009-07-21 20:09 -------- d-----w- d:\documents and settings\All Users\Application Data\Apple Computer
2009-07-21 20:09 . 2009-07-21 20:09 -------- d-----w- d:\program files\Bonjour
2009-07-21 20:09 . 2009-07-21 20:09 -------- d-----w- d:\program files\QuickTime
2009-07-21 20:08 . 2009-07-21 20:08 -------- d-----w- d:\program files\Apple Software Update
2009-07-21 20:08 . 2009-07-21 20:08 -------- d-----w- d:\documents and settings\All Users\Application Data\Apple
2009-07-21 20:08 . 2009-07-21 20:08 86016 ----a-w- d:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-21 19:31 . 2009-07-21 19:30 -------- d--h--w- d:\program files\InstallShield Installation Information
2009-07-21 19:30 . 2009-07-21 19:30 -------- d-----w- d:\program files\Creative
2009-07-21 19:30 . 2009-07-21 19:30 -------- d-----w- d:\program files\Common Files\InstallShield
2009-07-21 19:26 . 2009-07-21 19:26 106892 ----a-w- d:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat
2009-07-21 19:26 . 2009-07-21 18:30 80007 ----a-w- d:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-07-21 18:35 . 2009-07-21 18:35 -------- d-----w- d:\program files\Intel
2009-07-21 18:35 . 2009-07-21 18:35 -------- d-----w- d:\program files\DIFX
2009-07-21 18:30 . 2009-07-21 18:30 -------- d-----w- d:\program files\microsoft frontpage
2009-07-21 18:27 . 2009-07-21 18:27 21640 ----a-w- d:\windows\system32\emptyregdb.dat
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- d:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="d:\windows\UpdReg.EXE" [2000-05-11 90112]
"diagent"="d:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2009-01-15 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= avnotify.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [7/21/2009 3:33 PM 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;d:\program files\McAfee\SiteAdvisor\McSACore.exe [7/21/2009 4:15 PM 210216]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BITS
.
Contents of the 'Scheduled Tasks' folder

2009-07-21 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\Ali\Application Data\Mozilla\Firefox\Profiles\65r5g587.default\
FF - component: d:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 16:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-21 16:47
ComboFix-quarantined-files.txt 2009-07-21 20:47

Pre-Run: 41,366,032,384 bytes free
Post-Run: 37,962,137,600 bytes free

207 --- E O F --- 2009-07-21 20:21