My girlfriend was told by a computer lab assistant at her college that she has this Flush.M trojan and she should run combofix. I've followed the directions to run combofix and here is the resulting log file.
Any idea if there is anything else I can do bases on the below file?
ComboFix 09-03-26.03 - Marie 2009-03-27 21:56:13.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2037.1193 [GMT -4:00]
Running from: c:\users\Marie\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.
2009-03-14 20:46 . 2009-03-14 20:46 <DIR> d-------- c:\users\Marie\AppData\Roaming\ZoomBrowser EX
2009-03-14 20:38 . 2009-03-14 20:38 <DIR> d-------- c:\users\All Users\ZoomBrowser
2009-03-14 20:38 . 2009-03-14 20:38 <DIR> d-------- c:\programdata\ZoomBrowser
2009-03-14 20:38 . 2009-03-14 20:39 <DIR> d-------- c:\program files\Canon
2009-03-14 20:37 . 2009-03-14 20:37 <DIR> d-------- c:\program files\Common Files\Canon
2009-03-11 06:58 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-11 06:58 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-11 06:58 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-11 06:58 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-11 06:58 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-11 06:58 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 00:06 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-26 20:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 20:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-12 10:21 --------- d-----w c:\program files\Windows Mail
2009-02-13 04:18 --------- d-----w c:\users\Marie\AppData\Roaming\Download Manager
2009-02-13 03:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-13 03:28 --------- d-----w c:\users\Marie\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-02-11 15:04 --------- d-----w c:\users\Marie\AppData\Roaming\CyberLink
2009-02-11 15:04 --------- d-----w c:\programdata\CyberLink
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-09 15:10 54,600 ----a-w c:\users\Marie\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-09-04 05:13 1,667,097 ----a-w c:\users\Public\venple32.exe
2008-01-21 02:57 174 --sha-w c:\program files\desktop.ini
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-04 68856]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"googletalk"="c:\users\Marie\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-27 17920]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-03 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-31 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-31 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-31 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 85504]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-04 29744]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-08-04 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-02-22 1193240]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 16:20 73728 c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{936B2531-01FA-415C-A906-2038E764C769}"= c:\program files\CyberLink\PowerDVD DX\PowerDVD.exe:CyberLink PowerDVD DX
"{228CC934-35AE-4B47-ADF0-225B7145FF8F}"= c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:CyberLink PowerDVD DX Resident Program
"{E93BA6F4-51DF-4A20-859C-E18EF547874F}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{EF338B2C-AFFD-48F7-86A0-34C92BA6E9A4}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{A103F14B-610E-4434-A689-DD352CC56B79}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2E78BFB6-8B89-4A39-B302-21736AE603A6}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B9CADCAD-C03A-448D-BAA1-539364639DD2}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 79432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\System32\dllhost.exe [2006-11-02 7168]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2008-08-04 179712]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73f5b8c5-feac-11dd-866d-ad5b23b458d9}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-NWEReboot - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tagesschau.de/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Marie\AppData\Roaming\Mozilla\Firefox\Profiles\ubcoopsi.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 22:01:02
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\users\Marie\AppData\Local\Temp\catchme.dll 53248 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(576)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\windows\System32\wlanext.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\microsoft shared\VS7Debug\mdm.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\System32\msdtc.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-03-27 22:06:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 02:06:05
Pre-Run: 95,578,492,928 bytes free
Post-Run: 95,482,417,152 bytes free
150 --- E O F --- 2009-03-27 12:25:03