Hi
I have done all this now, but because my Symantec AV is an enterprise one I couldn't disable the realtime scanner before doing the combofix scan.
Here's the log:
ComboFix 09-10-28.08 - pwesthuiz 29/10/2009 15:54.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2038.1140 [GMT 0:00]
Running from: c:\documents and settings\pwesthuiz\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\3n8awsyg.exe
C:\autorun.inf
C:\b00ijwpu.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\hjvjte.exe
c:\temp\cvasds0.dll
c:\temp\cvasds1.dll
c:\windows\AegisP.inf
----- BITS: Possible infected sites -----
hxxp://as-ifh01
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.
2009-10-29 16:01 . 2009-10-29 16:01 53248 ----a-w- c:\temp\catchme.dll
2009-10-29 15:54 . 2009-10-29 15:54 -------- d-----w- c:\temp\WPDNSE
2009-10-28 21:22 . 2009-10-28 21:22 -------- d-----w- c:\program files\Trend Micro
2009-10-28 21:17 . 2009-10-29 12:14 -------- d-----w- c:\temp\hsperfdata_pwesthuiz
2009-10-28 21:17 . 2009-10-28 21:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-28 20:47 . 2009-10-28 20:47 -------- d-----w- c:\documents and settings\pwesthuiz\Application Data\Malwarebytes
2009-10-28 20:47 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 20:47 . 2009-10-28 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 20:47 . 2009-10-28 20:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-28 20:47 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 19:14 . 2009-10-28 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-28 19:14 . 2009-10-28 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-28 19:14 . 2009-10-28 19:14 -------- d-----w- c:\documents and settings\pwesthuiz\Application Data\SUPERAntiSpyware.com
2009-10-28 19:14 . 2009-10-28 19:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-28 19:00 . 2009-10-28 19:00 -------- d-----w- c:\temp\Google Toolbar
2009-10-28 18:53 . 2009-10-28 18:53 -------- d-----w- c:\program files\CCleaner
2009-10-27 04:14 . 2009-10-27 04:14 -------- d-----w- c:\documents and settings\pwesthuiz.Q16296.000\Local Settings\Application Data\Apple Computer
2009-10-27 04:14 . 2009-10-27 04:14 -------- d-----w- c:\documents and settings\pwesthuiz.Q16296.000\Application Data\FaxCtr
2009-10-27 04:14 . 2009-10-27 04:14 -------- d-----w- c:\documents and settings\pwesthuiz.Q16296.000\Application Data\Vodafone
2009-10-27 04:13 . 2008-01-30 14:27 67480 ----a-w- c:\documents and settings\pwesthuiz.Q16296.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 20:14 . 2009-10-13 20:15 -------- d-----w- c:\program files\QuickTime
2009-10-13 20:12 . 2009-10-13 20:12 32441648 ----a-w- C:\QuickTimeInstaller.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 04:38 . 2009-04-10 11:16 -------- d-----w- c:\documents and settings\pwesthuiz\Application Data\Chief Architect X1
2009-10-29 04:36 . 2008-01-29 14:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-28 22:10 . 2008-05-08 14:33 40 ----a-w- c:\windows\system32\profile.dat
2009-10-28 21:16 . 2008-05-16 21:39 -------- d-----w- c:\program files\Java
2009-10-28 15:58 . 2008-05-10 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-20 12:36 . 2008-06-08 06:42 -------- d-----w- c:\program files\TomTom HOME 2
2009-10-13 20:14 . 2008-09-28 15:43 -------- d-----w- c:\program files\Common Files\Apple
2009-09-25 14:42 . 2009-03-02 14:58 103720 ----a-w- c:\documents and settings\pwesthuiz\GoToAssistDownloadHelper.exe
2009-09-14 18:11 . 2009-09-14 18:11 -------- d-----w- c:\program files\PrintKey2000
2009-09-01 03:57 . 2009-09-01 03:57 -------- d-----w- c:\documents and settings\pwesthuiz\Application Data\FaxCtr
2009-08-31 16:36 . 2009-08-31 14:50 -------- d-----w- c:\program files\Lexmark Toolbar
2009-08-31 16:02 . 2009-08-31 14:53 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-08-31 15:05 . 2009-08-31 14:49 -------- d-----w- c:\program files\Lexmark 3600-4600 Series
2009-08-31 14:59 . 2009-08-31 14:59 -------- d-----w- c:\documents and settings\pwesthuiz\Application Data\Lexmark Productivity Studio
2009-08-31 14:55 . 2009-08-31 14:53 -------- d-----w- c:\program files\Lexmark Fax Solutions
2009-08-31 14:54 . 2009-08-31 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\FaxCtr
2009-08-24 20:21 . 2009-08-24 20:21 8278155 ----a-w- C:\MameUI32_0.133.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-10 68856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-06-03 251240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-07-31 65536]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-27 125168]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-07-04 2072576]
"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]
"lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-06-13 16040]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-06-13 320168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2008-03-24 78848]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-7-30 2158592]
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2008-5-8 73780]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-9-14 869376]
Shortcut to Bginfo.lnk - c:\program files\BGinfo\Bginfo.exe [2008-1-29 290816]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoNetworkConnections"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 15:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1482476501-261903793-839522115-16738\Scripts\Logon\0\0]
"Script"=creations_drive.bat
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxdxcoms.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxamon.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=
"c:\\WINDOWS\\system32\\lxdxcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxlscn.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxwbgw.exe"=
"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [15/02/2007 17:00 26624]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [08/05/2008 14:35 136760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 BT Common Client;BT Common Client;c:\program files\BT Common Client\btomosrv.exe [01/07/2005 13:36 57344]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [08/05/2008 14:35 536634]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [31/08/2009 14:56 98984]
R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [27/09/2006 19:33 116464]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [08/05/2008 14:34 36188]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [07/02/2007 17:00 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [31/08/2009 16:54 102448]
S3 BTWSp50;BTWSp50 NDIS Protocol Driver;c:\windows\system32\drivers\btwsp50.sys [07/09/2004 14:42 17664]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [02/11/2004 17:33 17536]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [10/03/2006 14:55 39424]
S3 Lotus Domino Server (LotusDominoData);Lotus Domino Server (LotusDominoData);c:\lotus\Domino\nservice.exe =c:\lotus\Domino\notes.ini --> c:\lotus\Domino\nservice.exe =c:\lotus\Domino\notes.ini [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 00:28 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 06:01 2799808]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 01:49 242712]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder
2009-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-10-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-10 14:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
mStart Page = hxxp://unicom
uInternet Settings,ProxyServer = ukisa01:8080
uInternet Settings,ProxyOverride = 88.96.69.213;hxxp://88.96.69.213;
http://147.2.*;147.2*;
http://147.2*;unicom.uniquk.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-10-29 16:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdisk.sys @ 0xBA158000 0x8E00 bytes
\Driver\disk [ IRP_MJ_POWER ] 0xCD3F7EF3 != 0xA7EDBE21 aksfridge.sys
\Driver\disk IRP hooks detected !
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1276)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-10-29 16:03
ComboFix-quarantined-files.txt 2009-10-29 16:03
Pre-Run: 17,157,853,184 bytes free
Post-Run: 17,206,132,736 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 7A5A6D09526018F22951FCF620ED672D