Free Malware Removal Forum

[jg66]

Hi I was away for Easter break and have found my previous thread ended.
I have run Combofix and will post the log below:

ComboFix 10-04-11.03 - Craig Steele 12/04/2010 20:39:19.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2079 [GMT 10:00]
Running from: c:\documents and settings\Craig Steele\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Craig Steele\Application Data\inst.exe
c:\documents and settings\Craig Steele\Local Settings\Temporary Internet Files\EeTlAD.jpg
c:\documents and settings\Craig Steele\Local Settings\Temporary Internet Files\g2vcw4.jpg
c:\documents and settings\Craig Steele\Local Settings\Temporary Internet Files\WbhLAPuq8.jpg
c:\documents and settings\Craig Steele\Local Settings\Temporary Internet Files\y6woXBFh7.jpg
c:\windows\system\oeminfo.ini
c:\windows\system32\Data
c:\windows\system32\download
c:\windows\system32\download\ispinfo.csv

.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-09 09:46 . 2010-04-09 09:46 -------- d-----w- c:\documents and settings\Craig Steele\Application Data\Media Player Classic
2010-03-22 12:53 . 2010-03-22 12:53 -------- d-----w- c:\program files\Trend Micro
2010-03-22 12:06 . 2010-03-22 12:06 -------- d-----w- c:\documents and settings\Craig Steele\Application Data\Malwarebytes
2010-03-22 12:06 . 2010-01-07 06:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-22 12:06 . 2010-03-22 12:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 12:06 . 2010-03-22 12:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-22 12:06 . 2010-01-07 06:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-22 11:56 . 2010-03-22 11:56 -------- d-----w- c:\program files\ERUNT
2010-03-21 09:58 . 2010-03-09 11:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-21 09:58 . 2010-03-09 11:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-21 09:58 . 2010-03-09 11:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-21 09:58 . 2010-03-09 11:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-21 09:58 . 2010-03-09 11:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-21 09:58 . 2010-03-09 11:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-21 09:58 . 2010-03-09 11:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-21 09:58 . 2010-03-09 11:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-21 09:58 . 2010-03-09 11:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-21 09:57 . 2010-03-21 09:57 -------- d-----w- c:\program files\Alwil Software
2010-03-21 09:57 . 2010-03-21 09:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-20 23:52 . 2010-03-21 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-03-20 23:52 . 2010-03-21 00:34 -------- d-----w- c:\documents and settings\Craig Steele\Local Settings\Application Data\avG
2010-03-14 20:13 . 2010-03-14 20:13 -------- d-----w- c:\documents and settings\Craig Steele\Application Data\Office Genuine Advantage
2010-03-14 20:13 . 2010-03-14 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-03-13 23:15 . 2010-03-14 06:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2010-03-13 23:14 . 2010-03-14 06:49 -------- d-----w- c:\program files\Alawar
2010-03-13 22:02 . 2009-08-06 09:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-03-13 22:02 . 2009-08-06 09:23 215920 ----a-w- c:\windows\system32\muweb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 19:58 . 2009-12-05 02:29 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-14 10:52 . 2010-03-14 10:52 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-28 07:25 . 2010-02-28 07:25 -------- d-----w- c:\program files\Safari
2010-02-28 07:23 . 2004-09-23 09:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-28 07:09 . 2010-02-28 07:07 -------- d-----w- c:\program files\iTunes
2010-02-28 07:07 . 2010-02-28 07:07 -------- d-----w- c:\program files\iPod
2010-02-28 07:07 . 2008-03-25 09:53 -------- d-----w- c:\program files\Common Files\Apple
2010-02-28 07:03 . 2010-02-28 07:03 -------- d-----w- c:\program files\Bonjour
2010-02-28 07:02 . 2010-02-28 07:02 -------- d-----w- c:\program files\QuickTime
2010-02-28 06:13 . 2008-08-07 06:51 -------- d-----w- c:\program files\Nokia
2010-02-28 05:59 . 2005-03-13 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-02-28 05:26 . 2007-12-16 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-02-28 05:22 . 2007-12-16 09:56 -------- d-----w- c:\program files\Canon
2010-02-28 05:21 . 2007-12-16 10:10 -------- d-----w- c:\documents and settings\Craig Steele\Application Data\Canon
2010-02-22 11:28 . 2004-09-23 09:19 -------- d-----w- c:\program files\Common Files\Real
2010-02-22 11:26 . 2005-09-09 23:37 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-02-22 11:23 . 2004-09-23 09:17 -------- d-----w- c:\program files\Sonic
2010-02-21 10:34 . 2005-05-06 09:19 -------- d-----w- c:\program files\DivX
2010-02-21 10:32 . 2005-05-06 09:19 -------- d-----w- c:\program files\Google
2010-02-21 10:26 . 2006-06-09 11:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-21 10:16 . 2008-06-07 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\EdAlive
2010-02-19 03:24 . 2010-02-19 03:24 -------- d-----w- c:\documents and settings\Craig Steele\Application Data\Facebook
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-11-03 4800512]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2004-07-01 53248]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-14 1838592]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe" [2009-11-30 240472]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-02-17 177472]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-28 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-9-23 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [21/03/2010 7:58 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [21/03/2010 7:58 PM 19024]
S2 gupdate1c9be7c80c6bca0;Google Update Service (gupdate1c9be7c80c6bca0);c:\program files\Google\Update\GoogleUpdate.exe [16/04/2009 8:16 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:34]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 10:16]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 10:16]

2010-04-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 05:07]

2010-04-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 12:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{511131f1-4629-4254-a85f-ed7b6d75dd3c} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Sonic RecordNow! - (no file)
AddRemove-AnswerWorks - c:\program files\WexTech\AnswerWorks\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 20:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2800)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\System32\MsPMSPSv.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2010-04-12 21:00:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 11:00

Pre-Run: 35,382,894,592 bytes free
Post-Run: 38,901,731,328 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 097C80A3B6B53CC9816FF2BF9C78F3E0

[NonSuch]

You cannot continue an archived topic. Follow the instructions you were given in your prior topic to start a new topic with a fresh HijackThis log and wait for a new helper. You may include your ComboFix log as long as your can put everything in one post.

This topic is now closed.