Malware Trace found (and removed?)

[MikeF]

I searched the forum and found a post by someone who was also having trouble getting rid of malware trace. I printed and followed the instructions, I downloaded and ran Combofix, and I think it worked. I will now will be testing out my computer to be sure the symptoms don't recur. But the instructions also said I should post the log here so someone can review it to make sure all of it is gone. Please let me know. You guys are great. Thanks so much for what you do.

ComboFix 09-01-19.03 - Mike 2009-01-19 14:18:29.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.204 [GMT -8:00]

Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe

AV: Bitdefender Antivirus *On-access scanning disabled* (Outdated)

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: Bitdefender Firewall *disabled*

FW: McAfee Personal Firewall *enabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Mike\Start Menu\Programs\InternetGameBox

c:\documents and settings\Mike\Start Menu\Programs\InternetGameBox\Privacy Policy.lnk

c:\documents and settings\Mike\Start Menu\Programs\InternetGameBox\Terms and conditions.lnk

c:\documents and settings\Mike\Start Menu\Programs\InternetGameBox\Website.lnk

c:\windows\system32\_004248_.tmp.dll

c:\windows\system32\_004249_.tmp.dll

c:\windows\system32\_004250_.tmp.dll

c:\windows\system32\_004251_.tmp.dll

c:\windows\system32\_004258_.tmp.dll

c:\windows\system32\_004259_.tmp.dll

c:\windows\system32\_004260_.tmp.dll

c:\windows\system32\_004261_.tmp.dll

c:\windows\system32\_004262_.tmp.dll

c:\windows\system32\_004263_.tmp.dll

c:\windows\system32\_004264_.tmp.dll

c:\windows\system32\_004265_.tmp.dll

c:\windows\system32\_004266_.tmp.dll

c:\windows\system32\_004267_.tmp.dll

c:\windows\system32\_004268_.tmp.dll

c:\windows\system32\_004269_.tmp.dll

c:\windows\system32\_004270_.tmp.dll

c:\windows\system32\_004271_.tmp.dll

c:\windows\system32\_004272_.tmp.dll

c:\windows\system32\_004274_.tmp.dll

c:\windows\system32\_004277_.tmp.dll

c:\windows\system32\_004278_.tmp.dll

c:\windows\system32\_004282_.tmp.dll

c:\windows\system32\_004283_.tmp.dll

c:\windows\system32\_004284_.tmp.dll

c:\windows\system32\_004285_.tmp.dll

c:\windows\system32\_004286_.tmp.dll

c:\windows\system32\_004287_.tmp.dll

c:\windows\system32\_004288_.tmp.dll

c:\windows\system32\_004290_.tmp.dll

c:\windows\system32\_004291_.tmp.dll

c:\windows\system32\_004292_.tmp.dll

c:\windows\system32\_004293_.tmp.dll

c:\windows\system32\_004294_.tmp.dll

c:\windows\system32\_004295_.tmp.dll

c:\windows\system32\_004296_.tmp.dll

c:\windows\system32\_004297_.tmp.dll

c:\windows\system32\_004298_.tmp.dll

c:\windows\system32\_004299_.tmp.dll

c:\windows\system32\_004300_.tmp.dll

c:\windows\system32\_004301_.tmp.dll

c:\windows\system32\_004304_.tmp.dll

c:\windows\system32\_004305_.tmp.dll

c:\windows\system32\_004306_.tmp.dll

c:\windows\system32\_004308_.tmp.dll

c:\windows\system32\_004309_.tmp.dll

c:\windows\system32\_004310_.tmp.dll

c:\windows\system32\_004311_.tmp.dll

c:\windows\system32\_004312_.tmp.dll

c:\windows\system32\_004314_.tmp.dll

c:\windows\system32\_004317_.tmp.dll

c:\windows\system32\_004318_.tmp.dll

c:\windows\system32\_004322_.tmp.dll

c:\windows\system32\_004323_.tmp.dll

c:\windows\system32\_004325_.tmp.dll

c:\windows\system32\_004328_.tmp.dll

c:\windows\system32\_004330_.tmp.dll

c:\windows\system32\_004331_.tmp.dll

c:\windows\system32\_004332_.tmp.dll

c:\windows\system32\_004333_.tmp.dll

c:\windows\system32\_004336_.tmp.dll

c:\windows\system32\_004337_.tmp.dll

c:\windows\system32\_004338_.tmp.dll

c:\windows\system32\_004339_.tmp.dll

c:\windows\system32\_004340_.tmp.dll

c:\windows\system32\_004345_.tmp.dll

c:\windows\system32\_004347_.tmp.dll

c:\windows\system32\_004348_.tmp.dll

c:\windows\Tasks\xzmtlfsz.job

c:\windows\wiaserviv.log

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))

.

2009-01-19 13:53 . 2009-01-19 13:54 <DIR> d-------- C:\32788R22FWJFW

2009-01-18 21:40 . 2009-01-18 21:40 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore

2009-01-18 17:43 . 2009-01-18 17:43 1,409 --a------ c:\windows\system32\tmpF7D9D.FOT

2009-01-18 17:43 . 2009-01-18 17:43 1,409 --a------ c:\windows\system32\tmpDCD9D.FOT

2009-01-18 17:43 . 2009-01-18 17:43 1,409 --a------ c:\windows\system32\tmpC7B9D.FOT

2009-01-18 17:43 . 2009-01-18 17:43 1,409 --a------ c:\windows\system32\tmp14D9D.FOT

2009-01-17 21:17 . 2009-01-19 14:22 54,156 --ah----- c:\windows\QTFont.qfn

2009-01-17 21:17 . 2009-01-17 21:17 1,409 --a------ c:\windows\QTFont.for

2009-01-16 23:36 . 2009-01-16 23:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-16 23:36 . 2009-01-16 23:36 <DIR> d-------- c:\documents and settings\Mike\Application Data\Malwarebytes

2009-01-16 23:36 . 2009-01-16 23:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-16 23:36 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-16 23:36 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-16 21:21 . 2009-01-19 14:24 8,201 --a------ c:\windows\system32\Config.MPF

2009-01-16 21:18 . 2009-01-18 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor

2009-01-16 21:17 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll

2009-01-16 21:14 . 2008-06-27 06:08 207,656 --a------ c:\windows\system32\drivers\mfehidk.sys

2009-01-16 21:14 . 2008-06-27 06:08 79,240 --a------ c:\windows\system32\drivers\mfeavfk.sys

2009-01-16 21:14 . 2008-06-27 06:08 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys

2009-01-16 21:14 . 2008-06-27 06:08 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys

2009-01-16 21:14 . 2008-06-20 05:41 34,152 --a------ c:\windows\system32\drivers\mferkdk.sys

2009-01-16 21:13 . 2008-06-02 14:55 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys

2009-01-16 21:12 . 2009-01-16 21:13 <DIR> d-------- c:\program files\McAfee.com

2009-01-16 21:12 . 2009-01-16 21:14 <DIR> d-------- c:\program files\Common Files\McAfee

2009-01-16 21:11 . 2009-01-18 21:19 <DIR> d-------- c:\program files\McAfee

2009-01-16 21:03 . 2009-01-18 21:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee

2009-01-15 16:36 . 2009-01-15 16:36 <DIR> d-------- c:\program files\Netflix

2009-01-15 13:22 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys

2009-01-15 13:22 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys

2009-01-15 13:22 . 2008-04-13 11:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys

2009-01-15 13:22 . 2008-04-13 11:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys

2008-12-19 19:04 . 2008-12-19 19:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-19 15:26 . 2008-12-19 15:26 <DIR> d-------- c:\documents and settings\Mike\Application Data\Symantec

2008-12-19 14:31 . 2009-01-15 15:33 <DIR> d-------- c:\program files\Symantec

2008-12-19 14:31 . 2009-01-15 15:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-19 05:24 --------- d-----w c:\documents and settings\Mike\Application Data\.purple

2009-01-19 05:17 --------- d-----w c:\documents and settings\Mike\Application Data\uTorrent

2009-01-18 07:53 --------- d-----w c:\documents and settings\Mike\Application Data\Move Networks

2009-01-18 04:05 --------- d-----w c:\documents and settings\Mike\Application Data\gtk-2.0

2009-01-16 19:25 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-01-16 19:23 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-15 23:34 --------- d-----w c:\program files\Common Files\Symantec Shared

2008-12-19 22:25 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2008-12-16 10:10 --------- d-----w c:\documents and settings\Mike\Application Data\Skype

2008-12-16 08:09 --------- d-----w c:\documents and settings\Mike\Application Data\skypePM

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-11 212992]

"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]

"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]

"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]

"Broadcom Wireless Manager"="c:\windows\system32\wltray.exe" [2007-03-02 1282048]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Dynex Wireless Networking Utility.lnk - c:\program files\Dynex G Desktop Card Adapter\DynexWCUI.exe [2008-08-17 1462272]

LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-09-16 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=kqqlaz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.divxa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Mavis Beacon Teaches Typing Deluxe 11.lnk]

path=c:\documents and settings\Mike\Start Menu\Programs\Startup\Mavis Beacon Teaches Typing Deluxe 11.lnk

backup=c:\windows\pss\Mavis Beacon Teaches Typing Deluxe 11.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2007-08-29 07:09 171464 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

--a------ 2006-01-13 16:13 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 09:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]

--a------ 2004-07-05 16:05 2550272 c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

--------- 2004-03-17 15:10 61952 c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-18 206096]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-17 c:\windows\Tasks\At1.job

- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 13:50]

2009-01-19 c:\windows\Tasks\At2.job

- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 13:50]

2009-01-17 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2009-01-17 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2009-01-19 c:\windows\Tasks\Norton Security Scan.job

- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 03:08]

.

- - - - ORPHANS REMOVED - - - -

BHO-{14DB73BD-7066-4E31-ADEF-A0087BF1EFB7} - (no file)

BHO-{602588C4-8A36-4CF7-8F05-C6CD178B4A9D} - (no file)

Toolbar-SITEguard - (no file)

HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe

HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel

FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\xmi3obz0.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\xmi3obz0.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-19 14:23:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-57989841-2147175445-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:c4,09,10,b2,56,63,e7,66,84,9b,af,a1,23,e5,66,61,bf,6f,cd,20,bb,ce,4d,

85,90,c1,e9,f1,09,81,2a,de,c8,da,5d,96,0c,d2,57,ef,3d,27,a3,66,c5,83,b7,8b,\

"??"=hex:65,90,9b,06,93,31,79,66,c4,eb,a0,39,b4,1f,36,1b

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)

c:\windows\System32\BCMLogon.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Ahead\InCD\InCDsrv.exe

c:\windows\system32\wltrysvc.exe

c:\windows\system32\bcmwltry.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\program files\McAfee\MSK\msksrver.exe

c:\program files\Logitech\Video\FxSvr2.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-01-19 14:28:00 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-19 22:27:56

Pre-Run: 11,182,714,880 bytes free

Post-Run: 11,120,844,800 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,4,5,6

302 --- E O F --- 2009-01-14 00:55:00