Combofix Log
I ran ComboFix as sunday.exe. Once it began, it yet again complained that Threatfire and Avira Antivir were running, even though Threatfire has been deleted, and I ran Safe Mode without networking (Antivir not on).
Here is the log:
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.803 [GMT -4:00]
Running from: c:\documents and settings\Karen\Desktop\sunday.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ThreatFire *Enabled/Updated* {67B2B9A1-25C8-4057-962D-807958FFC9E3}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-14 to 2011-07-14 )))))))))))))))))))))))))))))))
.
.
2011-06-30 02:04 . 2011-06-30 02:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\documents and settings\Karen\Application Data\Malwarebytes
2011-06-27 23:09 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-27 23:09 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-19 17:07 . 2011-06-19 17:07 -------- d-----w- c:\program files\Macrium
2011-06-19 16:47 . 2011-06-19 16:47 388096 ----a-r- c:\documents and settings\Karen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-17 02:25 . 2011-06-17 02:26 -------- d-----w- c:\program files\Common Files\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-10 02:35 . 2011-05-19 20:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-05 02:05 . 2009-05-24 19:02 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-05 02:05 . 2009-05-24 19:02 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-30 08:38 . 2010-06-01 23:00 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-06-30 08:38 . 2010-06-01 23:00 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-06-30 08:38 . 2010-06-04 15:55 242600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-06-30 08:38 . 2010-06-01 23:00 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-06-30 08:37 . 2010-06-01 23:00 285256 ----a-w- c:\windows\system32\guard32.dll
2011-06-30 02:04 . 2010-05-24 02:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-20 00:10 . 2010-04-05 20:33 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-06-08 03:10 . 2011-06-08 03:10 12952 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2011-06-08 03:09 . 2011-06-08 03:09 16024 ----a-w- c:\windows\system32\drivers\pssnap.sys
2011-06-08 03:09 . 2011-06-08 03:09 45208 ----a-w- c:\windows\system32\drivers\psmounter.sys
2011-06-02 14:02 . 2007-01-31 22:25 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2008-03-17 19:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 04:56 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2007-01-31 22:26 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2007-01-31 22:25 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-26 11:07 . 2004-08-04 04:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-25 16:11 . 2007-01-31 22:27 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 04:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 16:11 . 2004-08-04 04:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 12:01 . 2004-08-04 02:59 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 03:15 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-07-01 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-07 281768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-06-30 2554696]
.
c:\documents and settings\Karen\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-04 23:12 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^Karen^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCTCATS]
2006-11-21 12:27 106496 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\lxcttime.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"wltrysvc"=2 (0x2)
"Fax"=2 (0x2)
"gupdate"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\lxctcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera9.64\\opera.exe"=
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [6/7/2011 11:09 PM 16024]
S1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [7/25/2010 9:37 PM 41928]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [7/25/2010 9:37 PM 11776]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 11:55 AM 242600]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 29400]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/14/2009 2:22 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 67656]
S2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [7/25/2010 9:37 PM 2978720]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/24/2009 3:02 PM 136360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;gupdate;c:\program files\Google\Update\GoogleUpdate.exe [12/10/2010 2:15 AM 136176]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [6/7/2011 11:09 PM 220824]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [7/25/2010 9:37 PM 73728]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [3/17/2008 6:25 PM 92550]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 12872]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [5/31/2009 3:08 PM 987648]
S3 VSTHWICH;VSTHWICH;c:\windows\system32\drivers\VSTICH3.SYS [5/31/2009 3:08 PM 242176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-14 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-02-27 16:28]
.
2011-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-03-04 16:14]
.
2011-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 06:14]
.
2011-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 06:14]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{409FFF59-F53C-4044-B8A3-B561A6C73769}: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{518C03EA-FDDF-4B78-B1D6-B4EAB72AF430}: NameServer = 156.154.70.22,156.154.71.22
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-07-13 21:33
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1060284298-1993962763-854245398-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(220)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1480)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
Completion time: 2011-07-13 21:36:34
ComboFix-quarantined-files.txt 2011-07-14 01:36
ComboFix2.txt 2011-06-30 03:12
.
Pre-Run: 58,418,487,296 bytes free
Post-Run: 58,405,531,648 bytes free
.
- - End Of File - - 6BDAB9C9B9D1804FF313A46335B2F00A