We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
malware or what?
Comments
-
I have got firefox and I am struggling with that too - I will have a go though, thanks - you lot are very kind and patient!0
-
download ComboFix from one of the following URLs:Ex forum ambassador
Long term forum member0 -
thanks folks, here is the log:ComboFix 09-04-19.05 - Joanne Bloggs 19/04/2009 17:48.1 - NTFSx86
Running from: c:\documents and settings\Joanne Bloggs\Desktop\QWERTY.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: Kaspersky Anti-Virus *disabled*
.
((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.
2009-04-16 21:58 . 2009-04-16 21:58
d
w c:\program files\Trend Micro
2009-04-16 18:23 . 2009-04-16 18:23
d
w c:\documents and settings\Joanne Bloggs\Application Data\Malwarebytes
2009-04-16 18:22 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 18:22 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 18:22 . 2009-04-16 18:22
d
w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 18:22 . 2009-04-16 18:22
d
w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 22:09 . 2009-04-15 22:11
d
w c:\program files\OUeTMAFileHandler
2009-04-15 20:21 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 20:21 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 20:21 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 20:21 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 20:21 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 20:21 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 20:21 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 20:21 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 20:20 . 2008-05-03 11:55 2560
w c:\windows\system32\xpsp4res.dll
2009-04-15 20:20 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 20:20 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 22:10 . 2009-04-14 22:10 0 ----a-w c:\windows\nsreg.dat
2009-04-14 22:10 . 2009-04-14 22:10
d
w c:\documents and settings\Joanne Bloggs\Local Settings\Application Data\Mozilla
2009-04-14 17:37 . 2009-04-16 13:06 2883 ----a-w c:\windows\system32\spupdsvc.inf
2009-04-14 17:27 . 2009-04-14 17:27
d
w c:\windows\system32\scripting
2009-04-14 17:27 . 2009-04-14 17:27
d
w c:\windows\l2schemas
2009-04-14 17:27 . 2009-04-14 17:27
d
w c:\windows\system32\en
2009-04-14 17:27 . 2009-04-14 17:27
d
w c:\windows\system32\bits
2009-04-14 17:22 . 2009-04-14 17:22
d
w c:\windows\ServicePackFiles
2009-04-14 17:10 . 2009-04-14 17:10
d
w c:\windows\EHome
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 16:54 . 2007-05-04 10:34 130984480 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-19 16:54 . 2007-05-20 20:08
d
w c:\documents and settings\Joanne Bloggs\Application Data\StarOffice8
2009-04-19 16:54 . 2007-01-16 08:44
d
w c:\program files\StarOffice7
2009-04-19 16:53 . 2007-05-04 10:34 2007328 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-19 16:52 . 2007-05-04 10:34 189188 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-19 16:52 . 2007-05-04 10:34 1755260 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-19 16:26 . 2007-05-04 10:34
d
w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-15 22:09 . 2007-02-05 13:29 245760
w c:\windows\OUFHSetup1.exe
2009-04-15 22:09 . 2007-02-05 13:29 73216 ----a-w c:\windows\ST6UNST.EXE
2009-04-15 00:20 . 2007-01-16 08:47
d
w c:\program files\Java
2009-04-14 23:49 . 2007-01-12 22:09 38176 ----a-w c:\documents and settings\Joanne Bloggs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 19:51 . 2007-04-23 12:01
d
w c:\program files\MSN Messenger
2009-04-14 17:35 . 2005-07-13 16:44 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-14 17:18 . 2006-09-18 20:22 250048 --sha-r C:\ntldr
2009-04-10 00:26 . 2007-01-14 22:02
d
w c:\documents and settings\Joanne Bloggs\Application Data\Skype
2009-04-07 16:22 . 2007-09-04 12:45 268 ---ha-w C:\sqmdata08.sqm
2009-04-07 16:22 . 2007-09-04 12:45 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-06 08:34 . 2007-09-03 13:47 268 ---ha-w C:\sqmdata07.sqm
2009-04-06 08:34 . 2007-09-03 13:47 244 ---ha-w C:\sqmnoopt07.sqm
2009-04-05 10:15 . 2007-01-14 22:01
d
r c:\program files\Skype
2009-04-05 10:15 . 2007-01-14 22:02
d
w c:\documents and settings\All Users\Application Data\Skype
2009-04-05 09:48 . 2008-03-10 15:59
d
w c:\documents and settings\Joanne Bloggs\Application Data\skypePM
2009-04-04 00:35 . 2007-08-31 23:48 268 ---ha-w C:\sqmdata06.sqm
2009-04-04 00:35 . 2007-08-31 23:48 244 ---ha-w C:\sqmnoopt06.sqm
2009-04-02 15:28 . 2009-03-09 21:42
d
w c:\documents and settings\Joanne Bloggs\Application Data\NwDocx
2009-03-18 02:03 . 2007-08-30 17:46 268 ---ha-w C:\sqmdata05.sqm
2009-03-18 02:03 . 2007-08-30 17:46 244 ---ha-w C:\sqmnoopt05.sqm
2009-03-17 22:49 . 2007-02-20 16:43
d
w c:\program files\FirstClass
2009-03-15 10:23 . 2009-03-15 10:10
d
w c:\program files\VAG-COM
2009-03-14 00:39 . 2008-02-15 15:21
d
w c:\program files\U212MediaKit
2009-03-09 22:11 . 2009-03-09 22:04
d
w c:\documents and settings\Joanne Bloggs\Application Data\Texthelp Systems
2009-03-09 22:03 . 2009-03-09 22:03
d
w c:\documents and settings\Joanne Bloggs\Application Data\Thinstall
2009-03-09 08:59 . 2005-07-13 17:54
d
w c:\program files\Microsoft Works
2009-03-06 14:22 . 2006-09-18 20:22 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-09-18 20:22 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-09-18 20:22 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-17 12:20 . 2009-03-15 10:08 51528 ----a-r c:\windows\system32\ftserui2.dll
2009-02-17 10:23 . 2009-03-15 10:08 206144 ----a-r c:\windows\system32\ftd2xx.dll
2009-02-17 10:22 . 2009-03-15 10:08 120136 ----a-r c:\windows\system32\ftbusui.dll
2009-02-17 10:22 . 2009-03-15 10:08 189760 ----a-r c:\windows\system32\FTLang.dll
2009-02-15 15:31 . 2007-08-28 10:16 268 ---ha-w C:\sqmdata04.sqm
2009-02-15 15:31 . 2007-08-28 10:16 244 ---ha-w C:\sqmnoopt04.sqm
2009-02-15 10:04 . 2007-08-09 08:15 268 ---ha-w C:\sqmdata03.sqm
2009-02-15 10:04 . 2007-08-09 08:15 244 ---ha-w C:\sqmnoopt03.sqm
2009-02-09 12:10 . 2006-09-18 20:22 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-09-18 20:22 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2006-09-18 20:22 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-09-18 20:21 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2006-09-18 20:22 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2006-09-18 20:22 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2006-09-18 20:22 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-09-18 20:22 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2006-09-18 20:22 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-30 00:48 . 2007-08-09 00:37 268 ---ha-w C:\sqmdata02.sqm
2009-01-30 00:48 . 2007-08-09 00:37 244 ---ha-w C:\sqmnoopt02.sqm
2009-01-27 00:55 . 2007-08-05 22:01 268 ---ha-w C:\sqmdata01.sqm
2009-01-27 00:55 . 2007-08-05 22:01 244 ---ha-w C:\sqmnoopt01.sqm
2009-01-26 01:04 . 2007-07-07 00:18 268 ---ha-w C:\sqmdata00.sqm
2009-01-26 01:04 . 2007-07-07 00:18 244 ---ha-w C:\sqmnoopt00.sqm
2008-08-07 14:00 . 2008-08-07 12:52 17950304 ----a-w c:\program files\gimp-2.4.6-i686-setup.exe
2008-03-10 15:59 . 2008-03-10 15:59 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\Msmsgs.exe" [2005-08-31 1658592]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-03-01 577536]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2004-12-29 544768]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-11-01 163840]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Joanne Bloggs\Start Menu\Programs\Startup\
StarOffice 7.lnk - c:\program files\StarOffice7\program\quickstart.exe [2003-6-1 122880]
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2006-1-25 122880]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-8-18 1183744]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\avp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\OUeTMAFileHandler\\OUeTMAFileHandler.exe"=
"c:\\Program Files\\U212MediaKit\\MediaKit.exe"=
"c:\\Program Files\\YouTube Downloader\\YouTubeDownloader.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
R3 ids00026;ids00026; [x]
R3 ids0015d;ids0015d; [x]
R3 ids00180;ids00180; [x]
S3 EKBfltr;ENE Keyboard Controller;c:\windows\system32\DRIVERS\EKBfltr.sys [2005-01-14 5504]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-02-02 24344]
--- Other Services/Drivers In Memory ---
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - AVP
*Deregistered* - Beep
*Deregistered* - BlueletAudio
*Deregistered* - BlueSoleil Hid Service
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - BT
*Deregistered* - BTHidEnum
*Deregistered* - BTHidMgr
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fax
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - iaStor
*Deregistered* - ImapiService
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - kl1
*Deregistered* - klif
*Deregistered* - klim5
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - nvatabus
*Deregistered* - nvraid
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - ROOTMODEM
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - Serenum
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SiSRaid2
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - uagp35
*Deregistered* - UMWdf
*Deregistered* - Update
*Deregistered* - VcommMgr
*Deregistered* - VgaSave
*Deregistered* - viamraid
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder
2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-BAloud4 - c:\program files\Texthelp Systems\Browsealoud\4.0 Virtual\BAloud4.exe
HKCU-Run-VirtualBrowseAloud - c:\program files\Browsealoud\Browsealoud.exe
HKU-Default-RunOnce-IETI - c:\program files\Skype\Phone\IEPlugin\unins000.exe
Notify-OdysseyClient - (no file)
.
Supplementary Scan
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://uk.yahoo.com/fsc/
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Joanne Bloggs\Application Data\Mozilla\Firefox\Profiles\k1i73t72.default\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 17:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1288)
c:\windows\system32\klogon.dll
- - - - - - - > 'explorer.exe'(3624)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\scrchpg.dll
.
Other Running Processes
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Sun\StarOffice 8\program\soffice.exe
c:\program files\StarOffice7\program\soffice.exe
c:\program files\Sun\StarOffice 8\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-19 17:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-19 16:57
Pre-Run: 43,675,971,584 bytes free
Post-Run: 45,146,148,864 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
328 --- E O F --- 2009-04-16 13:090 -
Open notepad and copy/paste the text in RED below
File::
C:\sqmdata08.sqm
C:\sqmnoopt08.sqm
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
c:\documents and settings\All Users\Application Data\ezsid.dat
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
reboot and attempt another update of Malwarebytes:idea:0 -
ComboFix 09-04-19.05 - Joanne Bloggs 19/04/2009 18:52.2 - NTFSx86
Running from: c:\documents and settings\Joanne Bloggs\Desktop\QWERTY.exe
Command switches used :: c:\documents and settings\Joanne Bloggs\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: Kaspersky Anti-Virus *disabled*
FILE ::
c:\documents and settings\All Users\Application Data\ezsid.dat
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\ezsid.dat
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
.
((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.
2009-04-16 21:58 . 2009-04-16 21:58
d
w c:\program files\Trend Micro
2009-04-16 18:23 . 2009-04-16 18:23
d
w c:\documents and settings\Joanne Bloggs\Application Data\Malwarebytes
2009-04-16 18:22 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 18:22 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 18:22 . 2009-04-16 18:22
d
w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 18:22 . 2009-04-16 18:22
d
w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 22:09 . 2009-04-15 22:11
d
w c:\program files\OUeTMAFileHandler
2009-04-15 20:21 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 20:21 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 20:21 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 20:21 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 20:21 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 20:21 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 20:21 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 20:21 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 20:20 . 2008-05-03 11:55 2560
w c:\windows\system32\xpsp4res.dll
2009-04-15 20:20 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 20:20 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 22:10 . 2009-04-14 22:10 0 ----a-w c:\windows\nsreg.dat
2009-04-14 22:10 . 2009-04-14 22:10
d
w c:\documents and settings\Joanne Bloggs\Local Settings\Application Data\Mozilla
2009-04-14 17:37 . 2009-04-16 13:06 2883 ----a-w c:\windows\system32\spupdsvc.inf
2009-04-14 17:27 . 2009-04-14 17:27
d
w c:\windows\system32\scripting
2009-04-14 17:27 . 2009-04-14 17:27
d
w c:\windows\l2schemas
2009-04-14 17:27 . 2009-04-14 17:27
d
w c:\windows\system32\en
2009-04-14 17:27 . 2009-04-14 17:27
d
w c:\windows\system32\bits
2009-04-14 17:22 . 2009-04-14 17:22
d
w c:\windows\ServicePackFiles0 -
2009-04-14 17:10 . 2009-04-14 17:10
d
w c:\windows\EHome
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 17:56 . 2007-05-04 10:34 131083040 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-19 17:56 . 2007-05-04 10:34 2010400 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-19 17:04 . 2007-05-04 10:34
d
w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-19 16:54 . 2007-05-20 20:08
d
w c:\documents and settings\Joanne Bloggs\Application Data\StarOffice8
2009-04-19 16:54 . 2007-01-16 08:44
d
w c:\program files\StarOffice7
2009-04-19 16:52 . 2007-05-04 10:34 189188 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-19 16:52 . 2007-05-04 10:34 1755260 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-15 22:09 . 2007-02-05 13:29 245760
w c:\windows\OUFHSetup1.exe
2009-04-15 22:09 . 2007-02-05 13:29 73216 ----a-w c:\windows\ST6UNST.EXE
2009-04-15 00:20 . 2007-01-16 08:47
d
w c:\program files\Java
2009-04-14 23:49 . 2007-01-12 22:09 38176 ----a-w c:\documents and settings\Joanne Bloggs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 19:51 . 2007-04-23 12:01
d
w c:\program files\MSN Messenger
2009-04-14 17:35 . 2005-07-13 16:44 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-14 17:18 . 2006-09-18 20:22 250048 --sha-r C:\ntldr
2009-04-10 00:26 . 2007-01-14 22:02
d
w c:\documents and settings\Joanne Bloggs\Application Data\Skype
2009-04-05 10:15 . 2007-01-14 22:01
d
r c:\program files\Skype
2009-04-05 10:15 . 2007-01-14 22:02
d
w c:\documents and settings\All Users\Application Data\Skype
2009-04-05 09:48 . 2008-03-10 15:59
d
w c:\documents and settings\Joanne Bloggs\Application Data\skypePM
2009-04-02 15:28 . 2009-03-09 21:42
d
w c:\documents and settings\Joanne Bloggs\Application Data\NwDocx
2009-03-17 22:49 . 2007-02-20 16:43
d
w c:\program files\FirstClass
2009-03-15 10:23 . 2009-03-15 10:10
d
w c:\program files\VAG-COM
2009-03-14 00:39 . 2008-02-15 15:21
d
w c:\program files\U212MediaKit
2009-03-09 22:11 . 2009-03-09 22:04
d
w c:\documents and settings\Joanne Bloggs\Application Data\Texthelp Systems
2009-03-09 22:03 . 2009-03-09 22:03
d
w c:\documents and settings\Joanne Bloggs\Application Data\Thinstall
2009-03-09 08:59 . 2005-07-13 17:54
d
w c:\program files\Microsoft Works
2009-03-06 14:22 . 2006-09-18 20:22 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-09-18 20:22 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-09-18 20:22 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-17 12:20 . 2009-03-15 10:08 51528 ----a-r c:\windows\system32\ftserui2.dll
2009-02-17 10:23 . 2009-03-15 10:08 206144 ----a-r c:\windows\system32\ftd2xx.dll
2009-02-17 10:22 . 2009-03-15 10:08 120136 ----a-r c:\windows\system32\ftbusui.dll
2009-02-17 10:22 . 2009-03-15 10:08 189760 ----a-r c:\windows\system32\FTLang.dll
2009-02-09 12:10 . 2006-09-18 20:22 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-09-18 20:22 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2006-09-18 20:22 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-09-18 20:21 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2006-09-18 20:22 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2006-09-18 20:22 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2006-09-18 20:22 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-09-18 20:22 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2006-09-18 20:22 56832 ----a-w c:\windows\system32\secur32.dll
2008-08-07 14:00 . 2008-08-07 12:52 17950304 ----a-w c:\program files\gimp-2.4.6-i686-setup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\Msmsgs.exe" [2005-08-31 1658592]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-03-01 577536]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2004-12-29 544768]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-11-01 163840]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Joanne Bloggs\Start Menu\Programs\Startup\
StarOffice 7.lnk - c:\program files\StarOffice7\program\quickstart.exe [2003-6-1 122880]
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2006-1-25 122880]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-8-18 1183744]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\avp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\OUeTMAFileHandler\\OUeTMAFileHandler.exe"=
"c:\\Program Files\\U212MediaKit\\MediaKit.exe"=
"c:\\Program Files\\YouTube Downloader\\YouTubeDownloader.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
R3 ids00026;ids00026; [x]
R3 ids0015d;ids0015d; [x]
R3 ids00180;ids00180; [x]
S3 EKBfltr;ENE Keyboard Controller;c:\windows\system32\DRIVERS\EKBfltr.sys [2005-01-14 5504]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-02-02 24344]
--- Other Services/Drivers In Memory ---
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - audstub0 -
*Deregistered* - AVP
*Deregistered* - Beep
*Deregistered* - BlueletAudio
*Deregistered* - BlueSoleil Hid Service
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - BT
*Deregistered* - BTHidEnum
*Deregistered* - BTHidMgr
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fax
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - iaStor
*Deregistered* - ImapiService
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - kl1
*Deregistered* - klif
*Deregistered* - klim5
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - nvatabus
*Deregistered* - nvraid
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - ROOTMODEM
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - Serenum
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SiSRaid2
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - uagp35
*Deregistered* - UMWdf
*Deregistered* - Update
*Deregistered* - VcommMgr
*Deregistered* - VgaSave
*Deregistered* - viamraid
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder
2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
Supplementary Scan
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://uk.yahoo.com/fsc/
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
FF - ProfilePath - c:\documents and settings\Joanne Bloggs\Application Data\Mozilla\Firefox\Profiles\k1i73t72.default\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 18:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1288)
c:\windows\system32\klogon.dll
.
Completion time: 2009-04-19 18:58
ComboFix-quarantined-files.txt 2009-04-19 17:57
ComboFix2.txt 2009-04-19 16:57
Pre-Run: 45,157,736,448 bytes free
Post-Run: 45,154,340,864 bytes free
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
324 --- E O F --- 2009-04-16 13:090 -
right, have done that and updated malware bytes, which is scanning again now.0
-
malware bytes says:
Malwarebytes' Anti-Malware 1.36
Database version: 2009
Windows 5.1.2600 Service Pack 3
19/04/2009 20:57:32
mbam-log-2009-04-19 (20-57-32).txt
Scan type: Full Scan (C:\|)
Objects scanned: 181583
Time elapsed: 1 hour(s), 1 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.1K Banking & Borrowing
- 253.5K Reduce Debt & Boost Income
- 454.2K Spending & Discounts
- 245.1K Work, Benefits & Business
- 600.7K Mortgages, Homes & Bills
- 177.5K Life & Family
- 258.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards