Good news I think.
New combofix log.
ComboFix 09-04-25.A3 - Kickaxe 04/26/2009 18:04.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.284 [GMT -5:00]
Running from: c:\documents and settings\Kickaxe\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kickaxe\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.
2009-04-25 04:56 . 2009-04-25 04:56 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-25 04:54 . 2008-10-16 19:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-25 04:54 . 2008-10-16 19:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-24 07:12 . 2009-04-24 07:12 -------- d-----w c:\program files\Trend Micro
2009-04-24 04:34 . 2009-04-24 04:34 -------- d-----w C:\!KillBox
2009-04-18 02:47 . 2009-04-25 05:20 -------- d-----w c:\documents and settings\Kickaxe\Application Data\XnView
2009-04-18 02:00 . 2009-04-18 02:00 -------- d-----w c:\documents and settings\Kickaxe\Application Data\Malwarebytes
2009-04-18 00:35 . 2009-04-18 00:35 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-17 04:04 . 2009-04-17 04:04 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-04-17 04:04 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-17 04:04 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 04:04 . 2009-04-18 02:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 04:04 . 2009-04-17 04:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 02:53 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 02:53 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 02:53 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 02:53 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 02:53 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 02:53 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 02:53 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 02:53 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 02:53 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 02:53 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 02:53 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 02:53 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 02:52 . 2009-04-17 02:52 -------- d-----w c:\documents and settings\Kickaxe\Application Data\SUPERAntiSpyware.com
2009-04-17 02:47 . 2009-04-17 02:47 33184 ----a-w c:\documents and settings\Kickaxe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 02:31 . 2009-04-17 02:31 -------- d-----w c:\documents and settings\Kickaxe\.housecall6.6
2009-04-17 02:13 . 2009-04-17 02:23 -------- d-----w c:\documents and settings\Kickaxe\Local Settings\Application Data\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 02:11 . 2007-09-14 12:47 -------- d-----w c:\program files\Temp
2009-04-25 23:37 . 2003-09-10 01:14 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-23 23:37 . 2009-04-23 23:32 304182 ----a-w C:\rapport.txt
2009-04-01 23:32 . 2003-09-10 00:19 -------- d-----w c:\program files\burst
2009-03-28 01:28 . 2008-08-23 12:58 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-06 14:22 . 2003-01-01 07:04 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2003-01-01 07:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2003-01-01 07:03 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 18:29 . 2009-02-09 18:19 174 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2009-02-09 12:10 . 2003-01-01 07:03 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-10-21 09:42 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-01-01 07:46 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2003-01-01 07:04 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2003-01-01 07:05 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2004-08-04 05:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2003-01-01 07:04 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2003-01-01 07:04 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-01-01 07:04 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2003-01-01 07:04 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-12 05:45 . 2003-09-10 05:37 33184 ----a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-10-13 12:46 . 2007-10-13 12:46 32008 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-10-21 11:54 . 2007-09-25 21:27 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2004-10-21 11:54 . 2007-09-20 01:32 128 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2004-10-21 11:54 . 2007-09-20 01:15 128 ----a-w c:\documents and settings\Kickaxe\Local Settings\Application Data\fusioncache.dat
2003-09-10 08:41 . 2003-01-01 08:14 135 ----a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\fusioncache.dat
2008-08-23 15:07 . 2008-08-23 15:07 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082320080824\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-18 196608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-08 57344]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-07-29 2551808]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-24 03:31 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"MDM"=2 (0x2)
"aawservice"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\burst\\core-new1.1.3\\btdownloadheadless.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\Program Files\\The KMPlayer\\KMPlayer.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-20 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-20 55024]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c487d1a0-6860-11dc-a27b-0011d83f7c97}]
\Shell\AutoRun\command - G:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbc949af-66fa-11dc-a279-0011d83f7c97}]
\Shell\AutoRun\command - N:\Setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-04-26 18:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
- - - - - - - > 'explorer.exe'(2904)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-26 18:07
ComboFix-quarantined-files.txt 2009-04-26 23:07
ComboFix2.txt 2009-04-26 22:57
ComboFix3.txt 2009-04-25 23:37
ComboFix4.txt 2009-04-24 10:25
Pre-Run: 25,210,126,336 bytes free
Post-Run: 25,195,638,784 bytes free
Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=,1,2,3,4
157 --- E O F --- 2009-04-25 04:56
New hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:54 PM, on 4/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://go.microsoft....k/?LinkId=74005R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1240528006718O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 4266 bytes
Computer actually seems to be running ok so far. I updated AVG and Superantispyware. No blank screen on either admin user. Other problems from first post seem to be fixed as well.
Anything else you think I should do?
Thanks lots. I will let you know if anything comes up.