I had a rootkit issue. I have avast and it kept popping virus alert and my google searched was hijacked. I have run combo fix and the antivirus too. Can somebody please please look at my logs and tell me if I am clean or not.
ComboFix 09-10-06.03 - user 10/07/2009 5:28.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1317 [GMT 5.5:30]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 091006-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\user\cinlpxq.exe
c:\documents and settings\user\ejekyen.exe
c:\documents and settings\user\ggcfbwd.exe
c:\documents and settings\user\swhpbvf.exe
c:\documents and settings\user\vkog.exe
c:\recycler\S-1-5-21-0174406693-3686818400-174544345-7571
c:\recycler\S-1-5-21-1948418770-2003819997-031782307-5599
c:\recycler\S-1-5-21-1948418770-2003819997-031782307-5599\Desktop.ini
c:\recycler\S-1-5-21-1948418770-2003819997-031782307-5599\dllrun32.exe
c:\recycler\S-1-5-21-9187473010-7001570375-352415406-8987
c:\recycler\S-1-5-21-9414205167-6122663398-691217358-0887
c:\windows\ctfmon.exe
H:\Autorun.inf
I:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.
2009-10-06 23:56 . 2009-10-06 23:56 33440 ----a-w- c:\windows\system32\drivers\ucnxgmoq.sys
2009-10-06 22:10 . 2009-10-06 22:10 -------- d-----w- e:\program files\Sophos
2009-10-06 17:49 . 2009-10-06 17:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-06 17:44 . 2009-10-06 23:56 42496 ---h--w- c:\documents and settings\user\secupdat.dat
2009-09-30 16:58 . 2009-09-30 16:58 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\AOL
2009-09-30 16:58 . 2009-09-30 16:58 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-09-30 16:58 . 2009-10-04 18:50 -------- d-----w- c:\program files\Common Files\AOL
2009-09-25 19:03 . 2009-09-25 19:03 -------- d-----w- c:\documents and settings\user\Application Data\dvdcss
2009-09-11 19:56 . 2009-09-11 19:59 -------- d-----w- c:\windows\system32\NtmsData
2009-09-11 12:09 . 2009-09-11 12:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-09-11 07:11 . 2009-08-18 22:06 299008 ----a-w- c:\windows\system32\TubeFinder.exe
2009-09-11 07:11 . 2009-06-19 14:21 9728 ----a-w- c:\windows\system32\PCCLPFR.DLL
2009-09-11 07:11 . 2009-06-19 14:21 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2009-09-11 07:11 . 2009-06-19 14:21 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2009-09-11 07:11 . 2009-06-19 14:21 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-09-11 07:11 . 2009-09-11 07:19 -------- d-----w- e:\program files\Free FLV Converter
2009-09-11 07:11 . 2009-06-19 14:21 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2009-09-09 05:07 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 14:42 . 2009-09-07 14:42 -------- d-----w- c:\documents and settings\user\Application Data\TeamViewer
2009-09-07 14:42 . 2009-09-07 14:42 -------- d-----w- c:\documents and settings\user\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 21:27 . 2009-05-10 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-04 18:52 . 2009-03-26 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-04 16:23 . 2009-05-10 14:38 -------- d-----w- e:\program files\Spybot - Search & Destroy
2009-10-04 10:24 . 2009-05-14 20:32 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent
2009-08-25 06:05 . 2009-08-25 06:05 -------- d-----w- e:\program files\Common Files
2009-08-25 06:05 . 2009-08-25 06:05 -------- d-----w- e:\program files\Intel
2009-08-21 08:58 . 2009-08-21 08:58 -------- d-----w- e:\program files\WordWeb
2009-08-19 11:46 . 2009-08-19 11:46 17 ----a-w- c:\windows\popcinfo.dat
2009-08-19 11:44 . 2009-08-19 11:44 -------- d-----w- e:\program files\PopCap Games
2009-08-18 17:47 . 2009-08-18 17:46 -------- d-----w- c:\documents and settings\user\Application Data\TrueCrypt
2009-08-18 10:29 . 2009-08-18 10:29 217536 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-08-18 10:29 . 2009-08-18 10:29 -------- d-----w- e:\program files\TrueCrypt
2009-08-18 09:06 . 2009-08-18 09:06 -------- d-----w- c:\documents and settings\user\Application Data\Aptana
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 18:13 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2008-04-14 00:12 . 2004-08-04 12:00 1033728 --sh--r- c:\windows\explorer.exe
2008-04-14 00:12 . 2004-08-04 12:00 146432 --sh--r- c:\windows\regedit.exe
2008-04-14 00:12 . 2004-08-04 12:00 389120 --sha-r- c:\windows\system32\cmd.exe
2008-04-14 00:12 . 2004-08-04 12:00 135680 --sh--r- c:\windows\system32\taskmgr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="e:\program files\CCleaner\CCleaner.exe" [2009-09-24 1685816]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"PTHOSTTR"="e:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"CognizanceTS"="e:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-24 677144]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avast!"="e:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"googletalk"="e:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"atchk"="e:\program files\Intel\AMT\atchk.exe" [2007-04-10 404248]
c:\documents and settings\user\Start Menu\Programs\Startup\
MagicDisc.lnk.disabled [2009-5-21 557]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-03-14 00:33 74752 ----a-r- e:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 03:34 49152 ----a-r- c:\windows\system32\DeviceNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ucnxgmoq.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EtherDetect"=
"HttpDetect"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"e:\\Program Files\\MSN Messenger\\livecall.exe"=
"e:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Pocket Tanks Deluxe 1.3\\pockettanks.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"f:\\Installation Files\\wc3\\Warcraft III.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"f:\\Installation Files\\utorrent.exe"=
"e:\\Program Files\\Aptana\\Aptana Studio 1.2\\jre\\bin\\javaw.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [8/14/2007 5:59 PM 101167]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 1:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [6/14/2007 4:22 PM 13184]
R0 ucnxgmoq;ucnxgmoq;c:\windows\system32\drivers\ucnxgmoq.sys [10/7/2009 5:26 AM 33440]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/29/2009 10:28 PM 114768]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [7/24/2007 8:21 AM 38816]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [8/14/2007 5:59 PM 5840]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 5:30 PM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 5:30 PM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/29/2009 10:28 PM 20560]
R2 HpFkCryptService;Drive Encryption Service;e:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [9/6/2007 1:26 PM 221184]
R2 UNS;Intel(R) Active Management Technology User Notification Service;e:\program files\Intel\AMT\UNS.exe [8/25/2009 11:35 AM 1489688]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/24/2007 8:21 AM 44800]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [3/26/2009 10:19 AM 47616]
S2 UDisk Monitor;UDisk Monitor;e:\program files\ZTE High Speed Data MODEM\bin\MonServiceUDisk.exe [3/31/2009 12:19 PM 262144]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [3/27/2009 5:25 PM 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [6/8/2007 9:06 AM 172131]
S3 gtxtwgdu;gtxtwgdu;\??\c:\windows\System32\Drivers\gtxtwgdu.sys --> c:\windows\System32\Drivers\gtxtwgdu.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]
S3 ngwrfmdg;ngwrfmdg;\??\c:\windows\System32\Drivers\ngwrfmdg.sys --> c:\windows\System32\Drivers\ngwrfmdg.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/15/2007 1:10 AM 34448]
S3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [4/3/2009 12:21 AM 91392]
S3 qiogbnhu;qiogbnhu;\??\c:\windows\System32\Drivers\qiogbnhu.sys --> c:\windows\System32\Drivers\qiogbnhu.sys [?]
S3 vdvpxsjm;vdvpxsjm;\??\c:\windows\System32\Drivers\vdvpxsjm.sys --> c:\windows\System32\Drivers\vdvpxsjm.sys [?]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [3/31/2009 12:19 PM 104576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 07:04]
2009-10-04 c:\windows\Tasks\SmartDefrag.job
- e:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-05-11 12:45]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {04A414DA-B4BB-4404-8828-F130753216A3} = 203.122.63.152,203.122.63.154
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 05:36
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-343818398-412668190-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll
e:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
e:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
e:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
e:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
e:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
e:\program files\Hewlett-Packard\IAM\Bin\ItDAC.dll
e:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL
e:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll
e:\program files\Hewlett-Packard\IAM\Bin\ittal.dll
e:\program files\Hewlett-Packard\IAM\Bin\ASBIoAT.dll
e:\program files\Hewlett-Packard\IAM\Bin\STEngine.dll
e:\program files\Hewlett-Packard\IAM\Bin\ItVCClient.dll
e:\program files\Hewlett-Packard\IAM\Bin\ittalsnap.dll
e:\program files\Hewlett-Packard\IAM\Bin\AuthWiz.dll
c:\windows\system32\DeviceNP.dll
c:\windows\system32\basecsp.dll
c:\windows\system32\bcsprsrc.dll
- - - - - - - > 'lsass.exe'(1084)
c:\windows\SbHpNp.dll
e:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
e:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
- - - - - - - > 'explorer.exe'(1132)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\ati2evxx.exe
e:\program files\Alwil Software\Avast4\aswUpdSv.exe
e:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
e:\program files\Intel\AMT\atchksrv.exe
e:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\IFXTCS.exe
e:\program files\Intel\AMT\LMS.exe
c:\windows\system32\IfxPsdSv.exe
e:\program files\Alwil Software\Avast4\ashMaiSv.exe
e:\program files\Alwil Software\Avast4\ashWebSv.exe
e:\program files\Hewlett-Packard\IAM\Bin\asghost.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
e:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
e:\progra~1\HEWLET~1\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2009-10-07 5:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-07 00:08
Pre-Run: 17,195,024,384 bytes free
Post-Run: 17,166,503,936 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
278 --- E O F --- 2009-09-09 12:40