Free Malware Removal Forum

[localjohnny]

here is my Combofix log, please help


ComboFix 10-02-27.04 - johnglass 27/02/2010 13:39:40.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.2038.1097 [GMT -7:00]
Running from: c:\users\johnglass\Desktop\ComboFix.exe
AV: *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
SP: *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1917035585-2100144834-2150911557-500
c:\$recycle.bin\S-1-5-21-4255227170-3845029197-442413720-500
c:\windows\system32\KBL.LOG

.
((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-27 20:51 . 2010-02-27 20:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-25 12:40 . 2010-01-23 08:05 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-25 12:39 . 2010-01-25 12:58 473088 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-25 12:39 . 2010-01-25 12:58 472576 ----a-w- c:\windows\system32\secproc.dll
2010-02-25 12:39 . 2010-01-25 08:36 435712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-25 12:39 . 2010-01-25 08:36 515584 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-25 12:39 . 2010-01-25 08:36 431104 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-25 12:39 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-25 12:39 . 2010-01-25 12:58 154624 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-25 12:39 . 2010-01-25 12:58 154112 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-25 12:39 . 2010-01-25 12:56 312320 ----a-w- c:\windows\system32\msdrm.dll
2010-02-25 12:30 . 2010-02-25 12:30 -------- d-----w- c:\windows\CheckSur
2010-02-24 04:20 . 2010-02-24 04:20 -------- d-----w- c:\users\johnglass\AppData\Roaming\HTML Executable
2010-02-24 03:58 . 2010-02-24 03:58 -------- d-----w- c:\users\johnglass\AppData\Local\Threat Expert
2010-02-24 03:20 . 2010-02-24 03:20 -------- d-----w- c:\program files\Adobe(0)
2010-02-22 13:26 . 2010-02-22 13:26 -------- d-----w- c:\program files\Trend Micro
2010-02-22 12:47 . 2010-02-22 12:49 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-20 19:55 . 2010-02-20 19:59 -------- d-----w- c:\users\johnglass\AppData\Roaming\BitDefender
2010-02-20 19:55 . 2010-02-20 20:36 -------- d-----w- c:\programdata\BitDefender
2010-02-20 19:55 . 2010-02-20 19:55 -------- d-----w- c:\program files\BitDefender
2010-02-20 19:50 . 2010-02-20 19:56 -------- d-----w- c:\program files\Common Files\BitDefender
2010-02-20 18:38 . 2010-02-20 18:38 -------- d-----w- c:\users\johnglass\AppData\Roaming\Malwarebytes
2010-02-20 18:38 . 2010-02-20 18:38 -------- d-----w- c:\programdata\Malwarebytes
2010-02-20 18:38 . 2010-02-20 18:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 16:09 . 2010-02-20 16:10 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-14 19:15 . 2010-02-14 19:15 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 14:29 . 2008-11-09 00:46 -------- d-----w- c:\programdata\Google Updater
2010-02-24 16:16 . 2009-10-02 21:44 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 06:13 . 2008-01-30 02:55 108816 ----a-w- c:\users\johnglass\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 04:41 . 2008-04-23 04:08 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-24 04:41 . 2007-12-24 17:55 -------- d-----w- c:\program files\WinTV
2010-02-24 04:41 . 2008-07-13 17:55 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-24 04:40 . 2010-01-01 18:24 -------- d-----w- c:\program files\Microsoft
2010-02-24 04:40 . 2009-11-18 05:46 -------- d-----w- c:\program files\QuickTime
2010-02-24 04:40 . 2008-09-18 03:40 -------- d-----w- c:\program files\Windows Live
2010-02-24 04:40 . 2007-11-27 17:38 -------- d-----w- c:\program files\Norton Internet Security
2010-02-24 04:40 . 2007-11-27 17:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-24 04:40 . 2007-12-24 17:58 -------- d-----w- c:\program files\HP
2010-02-20 20:39 . 2009-05-31 21:19 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2010-02-20 16:12 . 2008-11-09 00:46 -------- d-----w- c:\program files\Google
2010-02-20 16:10 . 2008-04-23 03:55 -------- d-----w- c:\program files\Lavasoft
2010-02-11 10:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-11 10:03 . 2008-01-30 02:46 -------- d-----w- c:\programdata\Microsoft Help
2010-02-08 03:11 . 2009-05-31 21:22 20 ---h--w- c:\programdata\PKP_DLdw.DAT
2010-01-20 11:10 . 2008-03-15 00:21 -------- d-----w- c:\users\johnglass\AppData\Roaming\LimeWire
2010-01-12 15:53 . 2008-02-20 19:21 -------- d-----w- c:\program files\Morpheus
2010-01-12 15:31 . 2009-03-29 17:12 680 ----a-w- c:\users\johnglass\AppData\Local\d3d9caps.dat
2010-01-01 18:26 . 2010-01-01 18:26 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-01-01 18:24 . 2010-01-01 18:24 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-01-01 18:17 . 2010-01-01 18:17 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-28 12:36 . 2010-02-10 11:47 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35 . 2010-02-10 11:47 1327616 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:34 . 2010-02-10 11:47 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:34 . 2010-02-10 11:47 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:34 . 2010-02-10 11:47 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:34 . 2010-02-10 11:47 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:33 . 2010-02-10 11:47 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:32 . 2010-02-10 11:47 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:30 . 2010-02-10 11:47 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-12-28 12:30 . 2010-02-10 11:47 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-12-18 12:52 . 2010-01-22 12:52 832512 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 12:48 . 2010-01-22 12:51 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48 . 2010-01-22 12:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:48 . 2010-01-22 12:51 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2009-12-18 12:46 . 2010-01-22 12:51 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18 . 2010-01-22 12:51 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45 . 2010-01-22 12:51 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-12-11 12:15 . 2010-02-10 11:47 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 12:15 . 2010-02-10 11:47 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-08 20:54 . 2010-02-10 11:47 3467848 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 20:54 . 2010-02-10 11:47 3502168 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:19 . 2010-02-10 11:47 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-12-08 17:58 . 2010-02-10 11:47 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 17:57 . 2010-02-10 11:47 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-12-08 04:14 . 2009-12-08 02:57 256 ----a-w- c:\windows\system32\pool.bin
2009-12-08 01:31 . 2009-12-08 01:15 26694 ----a-r- c:\users\johnglass\AppData\Roaming\Microsoft\Installer\{E9215042-291A-444B-8644-89888F367CD3}\BlackBerry.exe
2009-12-04 16:27 . 2010-02-10 11:47 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 16:27 . 2010-02-10 11:47 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-02-01 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-17 4702208]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2007-08-23 80896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-03 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-03 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-03 133656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [09/07/2009 10:01 AM 85008]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [09/07/2009 10:01 AM 25104]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [24/08/2007 9:07 PM 149864]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20070823.002\IDSvix86.sys [27/11/2007 10:41 AM 180272]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\System32\drivers\nwusbser2.sys [02/11/2007 3:41 PM 166144]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-02-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-09 18:00]

2010-02-27 c:\windows\Tasks\User_Feed_Synchronization-{86811CE2-FC35-4DCC-B9FD-4D40B6D98566}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send Using &MailTo - c:\program files\SnipIT\SnipIT\sendusingmailto.htm
IE: Send Using &Outlook - c:\program files\SnipIT\SnipIT\sendusingoutlook.htm
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/ ... module.exe
DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} - hxxps://remote.legalaid.ab.ca/+CSCOL+/relayp.cab
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://remote.legalaid.ab.ca/+CSCOL+/cscopf.cab
FF - ProfilePath - c:\users\johnglass\AppData\Roaming\Mozilla\Firefox\Profiles\e9fc5kng.default\
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 13:52
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys >>UNKNOWN [0x8EE828C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82cdcd1f
\Driver\ACPI -> acpi.sys @ 0x804699d6
\Driver\atapi -> ataport.SYS @ 0x806bf9c6
\Driver\iaStor -> iaStor.sys @ 0x807258d6
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x82595467
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x82595467
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\guard32.dll
.
Completion time: 2010-02-27 13:58:19
ComboFix-quarantined-files.txt 2010-02-27 20:58

Pre-Run: 154,213,879,808 bytes free
Post-Run: 156,251,627,520 bytes free

- - End Of File - - D0EA87052A15864379CC408FB9E69691

[NonSuch]

ComboFix is not a tool that is intended to be used without the direct supervision of a qualified expert. To use ComboFix on your own is to court disaster for your computer. Please stop all attempts at self-fixes for your system's issues as that may only confuse the issue further and cause additional problems as well.

In order for us to help you it is necessary that you provide us with a HijackThis log. Please follow the guideline at the link below to start a new topic and post your HijackThis log. Also include your ComboFix log in the same post.

This topic is now closed. Please start a new topic by following the HijackThis Guideline posted here: >Guideline for posting your HijackThis log<