My Combofix Report
Running Combofix was a harrowing experience! I did not realize it would take over my machine. It would be helpful for newbies to know that there are 50 stages to the scan, to give us an idea of how far along the scans are. I used your link to download it.
Two kinds of errors occurred during the running of Combofix: near the beginning, I got at least 2 messages saying that Threatfire was still running, and I needed to turn it off. This was after I uninstalled Threatfire (I thought). I just overrode the warning. The second error occurred while the multi-stage scan was running. I got the following Windows message 3 times:
Registry Editor error
App Name: regt.cfxxe
App Ver: 5.1.2600.5512
Mod Name: a2hooks32.dll
Mod Ver: 5.0.0.91
Offset: 00002c57
(I think this file is connected to my Emsisoft Anti-Malware program. I have since been able to update and run a quick scan with it, but I am not sure if it was damaged or not.)
The Combofix scan continued to run, however. It also updated my Windows Recovery Console module.
Here is the log report:
ComboFix 11-06-29.06 - Karen 06/29/2011 22:36:14.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.719 [GMT -4:00]
Running from: c:\documents and settings\Karen\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ThreatFire *Enabled/Updated* {67B2B9A1-25C8-4057-962D-807958FFC9E3}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Karen\g2mdlhlpx.exe
c:\documents and settings\Karen\GoToAssistDownloadHelper.exe
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\regobj.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-30 )))))))))))))))))))))))))))))))
.
.
2011-06-30 02:04 . 2011-06-30 02:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\documents and settings\Karen\Application Data\Malwarebytes
2011-06-27 23:09 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-27 23:09 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-19 17:07 . 2011-06-19 17:07 -------- d-----w- c:\program files\Macrium
2011-06-19 16:47 . 2011-06-19 16:47 388096 ----a-r- c:\documents and settings\Karen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-17 02:25 . 2011-06-17 02:26 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-08 03:10 . 2011-06-08 03:10 12952 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2011-06-08 03:09 . 2011-06-08 03:09 16024 ----a-w- c:\windows\system32\drivers\pssnap.sys
2011-06-08 03:09 . 2011-06-08 03:09 45208 ----a-w- c:\windows\system32\drivers\psmounter.sys
2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-30 02:04 . 2010-05-24 02:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-28 22:39 . 2011-05-19 20:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-20 00:10 . 2010-04-05 20:33 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-10 15:46 . 2010-06-01 23:00 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-05-04 22:39 . 2010-06-01 23:00 284744 ----a-w- c:\windows\system32\guard32.dll
2011-05-04 22:39 . 2010-06-01 23:00 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-05-04 22:39 . 2010-06-01 23:00 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-05-04 22:39 . 2010-06-04 15:55 242472 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-05-02 15:31 . 2008-03-17 19:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 04:56 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2007-01-31 22:26 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2007-01-31 22:27 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 04:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 16:11 . 2004-08-04 04:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 12:01 . 2004-08-04 02:59 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 03:15 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-11 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-07 281768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-10 2552648]
.
c:\documents and settings\Karen\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-04 23:12 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^Karen^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCTCATS]
2006-11-21 12:27 106496 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\lxcttime.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"wltrysvc"=2 (0x2)
"Fax"=2 (0x2)
"gupdate"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\lxctcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera9.64\\opera.exe"=
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [6/7/2011 11:09 PM 16024]
R1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [7/25/2010 9:37 PM 41928]
R1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [7/25/2010 9:37 PM 11776]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 11:55 AM 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 29400]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/14/2009 2:22 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 67656]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [7/25/2010 9:37 PM 2978720]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/24/2009 3:02 PM 136360]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [6/7/2011 11:09 PM 220824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;gupdate;c:\program files\Google\Update\GoogleUpdate.exe [12/10/2010 2:15 AM 136176]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [7/25/2010 9:37 PM 73728]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [3/17/2008 6:25 PM 92550]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 12872]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [5/31/2009 3:08 PM 987648]
S3 VSTHWICH;VSTHWICH;c:\windows\system32\drivers\VSTICH3.SYS [5/31/2009 3:08 PM 242176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-30 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-02-27 16:28]
.
2011-06-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-03-04 16:14]
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 06:14]
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 06:14]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: Interfaces\{409FFF59-F53C-4044-B8A3-B561A6C73769}: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{518C03EA-FDDF-4B78-B1D6-B4EAB72AF430}: NameServer = 156.154.70.22,156.154.71.22
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NavLogon - (no file)
MSConfigStartUp-dlccmon - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-06-29 23:08
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1060284298-1993962763-854245398-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\guard32.dll
.
Completion time: 2011-06-29 23:11:59
ComboFix-quarantined-files.txt 2011-06-30 03:11
.
Pre-Run: 57,329,569,792 bytes free
Post-Run: 57,400,725,504 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B19D69A08F80476E5000A42AFC177A05
Next will be my ESET online scan results.