We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
laptop running slow
Comments
-
is it worth changing my firewall from zonealrm free and if so what would you suggest0
-
Zonealarms actually a very good firewall. BUT ~ this last year or so its been 'problematic' on some computers
So id say if its fine leave it be. If not then id recommend PC TOOLS firewall:idea:0 -
thanks for all your help and patience
Mark0 -
no worries
Post back here if you have any more symptoms though as its clearly been badly infected so im not 100% thats its clean:idea:0 -
Hi Rik
just finished a kaspersky scan, here are the results, do i need to take further action
deleted: virus Worm.Win32.AutoRun.dhm File: E:\Autorun.inf
detected: riskware Hidden install Running process: C:\32788R22FWJFW\prep.cmd
quarantined: virus Heur.Invader (modification) File: c:\documents and settings\mark turner\desktop\combofix.exe//PE_Patch.UPX/32788R22FWJFW\catchme.cfexe0 -
Open notepad and copy/paste the text in RED below
File::
C:\32788R22FWJFW\prep.cmd
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.:idea:0 -
ComboFix 09-04-25.A1 - mark turner 25/04/2009 17:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.298 [GMT 1:00]
Running from: c:\documents and settings\mark turner\Desktop\combofix.exe
Command switches used :: c:\documents and settings\mark turner\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.
2009-04-25 12:10 . 2009-04-25 13:28
d
w c:\documents and settings\mark turner\DoctorWeb
2009-04-24 21:20 . 2009-04-24 21:20 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-04-24 21:20 . 2009-04-24 21:20 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-04-24 18:50 . 2009-04-24 18:50
d
w c:\program files\Trend Micro
2009-04-24 16:52 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 16:52 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 16:52 . 2009-04-24 16:53
d
w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 11:56 . 2009-02-09 12:10 401408
w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 11:56 . 2009-02-06 11:11 110592
w c:\windows\system32\dllcache\services.exe
2009-04-15 11:55 . 2009-02-09 12:10 473600
w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 11:55 . 2009-02-09 12:10 453120
w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 11:55 . 2009-02-09 12:10 729088
w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 11:55 . 2009-02-09 12:10 617472
w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 11:55 . 2009-02-09 12:10 714752
w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 11:51 . 2008-05-03 11:55 2560
w c:\windows\system32\xpsp4res.dll
2009-04-12 08:36 . 2009-02-13 10:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 17:01 . 2009-02-05 18:10 6379552 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-25 17:01 . 2009-02-05 18:10 17184 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-25 15:13 . 2009-02-05 18:10
d
w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-25 15:11 . 2009-02-05 18:10 1916 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-25 15:11 . 2009-02-05 18:10 37820 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-25 14:51 . 2007-10-04 16:42
d
w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-19 19:19 . 2007-03-17 18:44 56183 ----a-w C:\hpfr3425.log
2009-04-19 19:19 . 2004-12-28 18:20 519 ----a-w C:\hpfr3420.xml
2009-04-15 11:55 . 2002-08-29 05:00 227840 ----a-w c:\windows\SYSTEM32\DLLCACHE\wmiprvse.exe
2009-03-29 20:42 . 2008-03-09 10:39
d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-29 20:41 . 2004-06-05 21:09
d
w c:\program files\SpywareBlaster
2009-03-21 14:06 . 2009-03-21 14:06 989696
w c:\windows\SYSTEM32\DLLCACHE\kernel32.dll
2009-03-06 15:51 . 2009-03-06 15:51 102 ----a-w C:\VundoFix.txt
2009-03-06 14:22 . 2002-08-29 05:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-06 14:22 . 2002-08-29 05:00 284160 ----a-w c:\windows\SYSTEM32\DLLCACHE\pdh.dll
2009-03-03 20:15 . 2009-03-03 20:15 266240 ----a-w c:\windows\SYSTEM32\CSHelper.exe
2009-03-03 20:15 . 2009-03-03 20:15 225280 ----a-w c:\windows\SYSTEM32\CSInstru.DLL
2009-03-03 00:18 . 2006-11-07 21:03 826368
w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-03 00:18 . 2004-02-06 17:05 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-02-28 04:54 . 2002-08-29 05:00 636072 --s-a-w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2009-02-20 10:20 . 2007-05-20 19:07 13824
w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-02-20 10:20 . 2002-08-29 05:00 70656 ----a-w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-02-20 05:14 . 2002-08-29 05:00 161792 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2009-02-09 12:10 . 2002-08-29 05:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2004-04-26 18:54 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 05:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 05:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-15 19:45 1846784
w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2002-08-29 05:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-07 22:05 . 2004-05-02 17:07 4212 -c-ha-w c:\windows\SYSTEM32\zllictbl.dat
2009-02-07 18:02 . 2002-08-29 05:00 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-07 18:02 . 2002-08-29 05:00 2066048 ----a-w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-06 11:11 . 2002-08-29 05:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2002-08-29 05:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 11:08 . 2002-08-29 05:00 2189056 ----a-w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 19:43 2145280
w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 10:39 . 2002-08-29 05:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:39 . 2002-08-29 05:00 35328 ----a-w c:\windows\SYSTEM32\DLLCACHE\sc.exe
2009-02-06 10:32 . 2008-10-15 19:43 2023936
w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-05 16:42 . 2007-06-17 09:07 959 ----a-w C:\rollback.ini
2009-02-03 19:59 . 2009-02-03 19:59 56832
w c:\windows\SYSTEM32\DLLCACHE\secur32.dll
2009-02-03 19:59 . 2002-08-29 05:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2008-10-03 20:25 . 2004-01-27 21:34 109232 -c--a-w c:\documents and settings\mark turner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-03-26 17:10 . 2007-03-26 17:10 69536 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-05-27 20:05 . 2006-05-14 11:42 40240 -c--a-w c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-11-23 11:50 . 2005-04-30 09:30 38264 -c--a-w c:\documents and settings\mark turner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-27 20:52 . 2008-05-27 20:53 32768 -csha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008052720080528\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HostManager"="c:\program files\Common Files\AOL\1223586317\ee\AOLSoftware.exe" [2006-11-14 50736]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-14 98304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk.disabled]
backup=c:\windows\pss\Kodak EasyShare software.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
backup=c:\windows\pss\Microsoft Office.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^mark turner^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^mark turner^Start Menu^Programs^Startup^SpywareGuard.lnk]
backup=c:\windows\pss\SpywareGuard.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOLService"=2 (0x2)
"iPodService"=3 (0x3)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"GSICONEXE"=gsicon.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\AOL\\1173459437\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1173459437\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AOL 9.0 VR\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1223586317\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\Drivers\ousbehci.sys [2002-12-24 39040]
R3 MEMSWEEP2;MEMSWEEP2; [x]
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2002-12-24 54016]
R3 USTOR;Verbatim Store 'n' Go;c:\windows\system32\DRIVERS\UStork.sys [2003-04-02 19762]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-03-03 266240]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-04-04 24344]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94117d80-7c5d-11d9-977f-00038a000015}]
\Shell\AutoRun\command - setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c87294d6-a05d-11dd-8f54-00038a000015}]
\Shell\access\command - e:\.\sgportable\SGPortable.exe
\Shell\AutoRun\command - e:\.\sgportable\SGPortable.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e53405bd-8b29-11dd-a85a-00038a000015}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-25 c:\windows\Tasks\User_Feed_Synchronization-{B5C1C72B-289E-42A9-835B-6634B3341A9F}.job
- c:\windows\system32\msfeedssync.exe [2006-04-13 11:58]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &AOL Toolbar search
IE: E&xport to Microsoft Excel
DPF: DirectAnimation Java Classes - [URL]file://c:\windows\Java\classes\dajava.cab[/URL]
DPF: Microsoft XML Parser for Java
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 18:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\65.tmp"
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-3369489060-662800114-1466839097-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="CEB59035BAE3BA6EFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794BA7FD869164D67949DB7CE019D40AA5CA8A2428A09D4F53E7F5775F3C720A3862044937B62B8997D624CABC010CEC361260F2D17ED2CD9494BFA9FD7A64C0E3AF4F9B335DA89FCCA2D2618AB68E3F050418AB17776C5782A04838BA05B684A8A4F9AAB984442F95F5F872CDDBE807C437CAEA93E839C7C7E72B97E9C1BF47E9C59C04ECA4A7E550CAA7E6577538469CFAE15E1278AF0C548B3EA33BD323188FB9409E3982CA38A839397B8BCFB92EC75015F9A8D1546E8EBB468D6187DA27896D616A6EFBD5445DDF5650E149F12F192F4B08AF13FE52C34BB858C67EF1392BF488CC4E265FDE7967F00418B3A2E176CDAAF597A3CDB0CCC5F1CE9898F8F502CE417622A1FCC080CB08123505D56AF2BDA8924EECFF736C70B8878FE76685DF6FD63969F7AB2ED82DE08F6B82B3D4159EEEBFB3D53CE109B7FA9B7EFD3B31A9FB822EB421A671A21B5B6743BDE5A87EAE68CE6753437319FCFE6182468491C860E0A6235B564BA73B1B34974C2696F3264225CCC744F63936427000B0B482B74CAD3EB3F97E6376826AA13A437E79CE85FE74B1CA8762896F8D74934A61043120FBD6F4B9F7228D3B6C868AE311B6429A19D9360F9CF32301CE8435839C6966D4F8848E7C24DDBEC5DC1CE9B390853F4CA87893A264568C8B2CF2E5055D5887AD47B464805FED34FE9CCC416EA7B26304D6DF6EEFE01E62D748442992069310FBC5EAB44045945FAFC23386EF583D024EE9999E6E8F47D0F6D84285655725EE4F781AFD4EEEB9A518B840F199FF377FB4BDDA1B05CD3AF84FCCEFC4C42288E1BCA337C1A080EEE9C60B21F2DBF637749D18CB3FAE717B407566AD3E6498079344D4B32D7A6D8168519F4376743AE5E7FC4FB6A9C2D7977F2035E33B1DF3C84166E236472372B959D279594A72AF16D773B0BD08CE07C188BDCB7945F135ACD0B6C971877382825D550636DF087929CEC1E96E869CB64EAF31487E5C6FD9FA5C1DC8B4A943CB43488AE32686B05B71602AF04A8F2CBB776B6AD618960D49610CCA964681B6C7AE26F3156A164DECBB8B97FB9770E5144F6C07FDED4CB5D0CC6A30F0B570582E8882A16AB2AC9E4FD16FCF5A433C46319DAE4B71C92C8F190351E1D6CECEB4E32AC3CF61105317BC275974CB22D43998B46D6D33A013F8179FCFC39FB738E324B8D8C3C692A519B4FD13A14D8A85AA2321231A85E51370C6070E09B2FAB4F276E9C67231A0606CF9ED7F92D8E61FE3F6AC66F5DAF29E02A221AD152FEC636379B80FA3D8FF850B9F1EBCDD04F024A4354A6F5EE5CA40D055FB5B83CE86EEC039211DBF137D7538D4B2493879BAD789953A308"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1356)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\windows\system32\klogon.dll
- - - - - - - > 'lsass.exe'(1460)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
- - - - - - - > 'explorer.exe'(2336)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\windows\system32\msi.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\scrchpg.dll
.
Completion time: 2009-04-25 18:05
ComboFix-quarantined-files.txt 2009-04-25 17:05
ComboFix2.txt 2009-04-24 19:57
Pre-Run: 8,340,750,336 bytes free
Post-Run: 8,403,333,120 bytes free
217 --- E O F --- 2009-04-15 12:490 -
Open notepad and copy/paste the text in RED below
File::
c:\windows\system32\drivers\klin.dat
c:\windows\system32\drivers\klick.dat
C:\hpfr3425.log
C:\hpfr3420.xml
C:\rollback.ini
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
Download CCLEANER (Make sure you click 'DOWNLOAD LATEST VERSION' ~ make sure YAHOO TOOLBAR is unticked on installation)
http://www.filehippo.com/download_ccleaner/
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)
reboot
Download GLARY UTILITIES (Make sure you click 'DOWNLOAD NOW' ~ UNTICK the ASK toolbar on installation)
http://www.download.com/Glary-Utilities/3000-2094_4-10508531.html
Run the ONE CLICK scan
Then goto MODULES ~ SYSTEM TOOLS ~ WINDOWS STANDARD TOOLS ~ and run the SYSTEM FILE CHECKER
Id say your good to go then :idea:0 -
lastest combofix log
ComboFix 09-04-25.A1 - mark turner 25/04/2009 19:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.251 [GMT 1:00]
Running from: c:\documents and settings\mark turner\Desktop\combofix.exe
Command switches used :: c:\documents and settings\mark turner\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.
2009-04-25 17:18 . 2009-02-15 23:10 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-04-25 17:18 . 2009-04-25 17:19
d
w c:\windows\system32\ZoneLabs
2009-04-25 17:18 . 2009-04-25 17:18
d
w c:\program files\Zone Labs
2009-04-25 17:18 . 2009-04-25 17:24 350192 ----a-w c:\windows\system32\vsconfig.xml
2009-04-25 17:17 . 2009-04-25 18:10
d
w c:\windows\Internet Logs
2009-04-25 12:10 . 2009-04-25 13:28
d
w c:\documents and settings\mark turner\DoctorWeb
2009-04-24 21:20 . 2009-04-24 21:20 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-04-24 21:20 . 2009-04-24 21:20 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-04-24 18:50 . 2009-04-24 18:50
d
w c:\program files\Trend Micro
2009-04-24 16:52 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 16:52 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 16:52 . 2009-04-24 16:53
d
w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 11:56 . 2009-02-09 12:10 401408
w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 11:56 . 2009-02-06 11:11 110592
w c:\windows\system32\dllcache\services.exe
2009-04-15 11:55 . 2009-02-09 12:10 473600
w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 11:55 . 2009-02-09 12:10 453120
w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 11:55 . 2009-02-09 12:10 729088
w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 11:55 . 2009-02-09 12:10 617472
w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 11:55 . 2009-02-09 12:10 714752
w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 11:51 . 2008-05-03 11:55 2560
w c:\windows\system32\xpsp4res.dll
2009-04-12 08:36 . 2009-02-13 10:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 18:11 . 2009-02-05 18:10 6510368 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-25 18:11 . 2009-02-05 18:10 24608 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-25 17:24 . 2009-02-05 18:10
d
w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-25 17:22 . 2009-02-05 18:10 2900 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-25 17:21 . 2009-02-05 18:10 86996 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-25 17:19 . 2004-05-02 17:07 4212 -c-ha-w c:\windows\SYSTEM32\zllictbl.dat
2009-04-25 14:51 . 2007-10-04 16:42
d
w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-19 19:19 . 2007-03-17 18:44 56183 ----a-w C:\hpfr3425.log
2009-04-19 19:19 . 2004-12-28 18:20 519 ----a-w C:\hpfr3420.xml
2009-04-15 11:55 . 2002-08-29 05:00 227840 ----a-w c:\windows\SYSTEM32\DLLCACHE\wmiprvse.exe
2009-03-29 20:42 . 2008-03-09 10:39
d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-29 20:41 . 2004-06-05 21:09
d
w c:\program files\SpywareBlaster
2009-03-21 14:06 . 2009-03-21 14:06 989696
w c:\windows\SYSTEM32\DLLCACHE\kernel32.dll
2009-03-06 15:51 . 2009-03-06 15:51 102 ----a-w C:\VundoFix.txt
2009-03-06 14:22 . 2002-08-29 05:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-06 14:22 . 2002-08-29 05:00 284160 ----a-w c:\windows\SYSTEM32\DLLCACHE\pdh.dll
2009-03-03 20:15 . 2009-03-03 20:15 266240 ----a-w c:\windows\SYSTEM32\CSHelper.exe
2009-03-03 20:15 . 2009-03-03 20:15 225280 ----a-w c:\windows\SYSTEM32\CSInstru.DLL
2009-03-03 00:18 . 2006-11-07 21:03 826368
w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-03 00:18 . 2004-02-06 17:05 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-02-28 04:54 . 2002-08-29 05:00 636072 --s-a-w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2009-02-20 10:20 . 2007-05-20 19:07 13824
w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-02-20 10:20 . 2002-08-29 05:00 70656 ----a-w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-02-20 05:14 . 2002-08-29 05:00 161792 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2009-02-09 12:10 . 2002-08-29 05:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2004-04-26 18:54 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 05:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 05:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-15 19:45 1846784
w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2002-08-29 05:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-07 18:02 . 2002-08-29 05:00 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-07 18:02 . 2002-08-29 05:00 2066048 ----a-w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-06 11:11 . 2002-08-29 05:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2002-08-29 05:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 11:08 . 2002-08-29 05:00 2189056 ----a-w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 19:43 2145280
w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 10:39 . 2002-08-29 05:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:39 . 2002-08-29 05:00 35328 ----a-w c:\windows\SYSTEM32\DLLCACHE\sc.exe
2009-02-06 10:32 . 2008-10-15 19:43 2023936
w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-05 16:42 . 2007-06-17 09:07 959 ----a-w C:\rollback.ini
2009-02-03 19:59 . 2009-02-03 19:59 56832
w c:\windows\SYSTEM32\DLLCACHE\secur32.dll
2009-02-03 19:59 . 2002-08-29 05:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2008-10-03 20:25 . 2004-01-27 21:34 109232 -c--a-w c:\documents and settings\mark turner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-03-26 17:10 . 2007-03-26 17:10 69536 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-05-27 20:05 . 2006-05-14 11:42 40240 -c--a-w c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-11-23 11:50 . 2005-04-30 09:30 38264 -c--a-w c:\documents and settings\mark turner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-27 20:52 . 2008-05-27 20:53 32768 -csha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008052720080528\index.dat
.
((((((((((((((((((((((((((((( [EMAIL="SnapShot@2009-04-24_19.54.24"]SnapShot@2009-04-24_19.54.24[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-25 17:19 . 2009-02-15 23:10 97672 c:\windows\SYSTEM32\ZoneLabs\zlquarantine.dll
+ 2009-04-25 17:19 . 2008-11-17 01:24 51688 c:\windows\SYSTEM32\ZoneLabs\srescan.sys
+ 2009-04-25 17:18 . 2009-02-15 23:10 94088 c:\windows\SYSTEM32\ZoneLabs\lib\zvpn.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 20360 c:\windows\SYSTEM32\ZoneLabs\lib\zsys.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 59272 c:\windows\SYSTEM32\ZoneLabs\lib\zpdp.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 14216 c:\windows\SYSTEM32\ZoneLabs\lib\zmenu.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 24968 c:\windows\SYSTEM32\ZoneLabs\lib\zic.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 84872 c:\windows\SYSTEM32\ZoneLabs\lib\ZAlert.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 34696 c:\windows\SYSTEM32\ZoneLabs\lib\UpdateUI.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 17800 c:\windows\SYSTEM32\ZoneLabs\lib\oem_1466.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 10120 c:\windows\SYSTEM32\ZoneLabs\lib\oem_1454.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 10632 c:\windows\SYSTEM32\ZoneLabs\lib\oem_1445.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 13704 c:\windows\SYSTEM32\ZoneLabs\lib\oem_1440.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 11656 c:\windows\SYSTEM32\ZoneLabs\lib\oem_1413.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 11144 c:\windows\SYSTEM32\ZoneLabs\lib\oem_1010.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 29576 c:\windows\SYSTEM32\ZoneLabs\lib\NavBar.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 12168 c:\windows\SYSTEM32\ZoneLabs\lib\MainLoop.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 35720 c:\windows\SYSTEM32\ZoneLabs\lib\Alert.zip.dll
+ 2009-04-25 17:19 . 2009-02-15 23:10 38280 c:\windows\SYSTEM32\ZoneLabs\featuremap.dll
+ 2009-04-25 17:19 . 2009-02-15 23:10 98184 c:\windows\SYSTEM32\ZoneLabs\fbl.dll
+ 2009-04-25 17:19 . 2009-02-15 23:10 74632 c:\windows\SYSTEM32\ZoneLabs\camupd.dll
+ 2009-04-25 17:19 . 2009-02-15 23:10 69000 c:\windows\SYSTEM32\zlcomm.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 35208 c:\windows\SYSTEM32\vswmi.dll
+ 2009-04-25 17:19 . 2009-02-15 23:10 58248 c:\windows\SYSTEM32\vsregexp.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 9608 c:\windows\SYSTEM32\ZoneLabs\lib\oem_1460.zip.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 02:54 . 2008-07-29 02:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 04:23 . 2008-07-29 04:23 626688 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcr90.dll
+ 2008-07-29 04:23 . 2008-07-29 04:23 856576 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcp90.dll
+ 2008-07-29 02:51 . 2008-07-29 02:51 245760 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcm90.dll
+ 2009-04-25 17:19 . 2009-02-15 23:10 108424 c:\windows\SYSTEM32\ZoneLabs\zlupdate.dll
+ 2009-04-25 17:19 . 2009-02-15 23:10 302472 c:\windows\SYSTEM32\ZoneLabs\zlsre.dll
+ 2009-04-25 17:19 . 2009-02-15 23:10 178568 c:\windows\SYSTEM32\ZoneLabs\zlparser.dll
+ 2009-04-25 17:19 . 2009-02-15 23:10 172936 c:\windows\SYSTEM32\ZoneLabs\vsvault.dll
+ 2009-04-25 17:17 . 2009-02-15 23:10 108424 c:\windows\SYSTEM32\ZoneLabs\vsdb.dll
+ 2009-04-25 17:19 . 2009-02-15 23:10 176520 c:\windows\SYSTEM32\ZoneLabs\updclient.exe
- 2009-02-07 22:05 . 2007-10-11 16:51 832984 c:\windows\SYSTEM32\ZoneLabs\updating.dll
+ 2009-04-25 17:19 . 2007-10-11 15:51 832984 c:\windows\SYSTEM32\ZoneLabs\updating.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 431496 c:\windows\SYSTEM32\ZoneLabs\ssleay32.dll
+ 2009-04-25 17:19 . 2009-02-15 23:10 134536 c:\windows\SYSTEM32\ZoneLabs\scheduler.dll
+ 2009-04-25 17:19 . 2008-11-17 01:23 796128 c:\windows\SYSTEM32\ZoneLabs\qrsrecl.dll
+ 2009-04-25 17:19 . 2008-11-17 01:23 722400 c:\windows\SYSTEM32\ZoneLabs\qrbase.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 118664 c:\windows\SYSTEM32\ZoneLabs\lib\zui.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 151944 c:\windows\SYSTEM32\ZoneLabs\lib\ztv.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 188808 c:\windows\SYSTEM32\ZoneLabs\lib\Overview.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 344968 c:\windows\SYSTEM32\ZoneLabs\lib\LicenseUI.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 136584 c:\windows\SYSTEM32\ZoneLabs\lib\DashBoard.zip.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 344456 c:\windows\SYSTEM32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2009-04-25 17:17 . 2009-02-04 17:27 548128 c:\windows\SYSTEM32\ZoneLabs\icslta.dll
+ 2009-04-25 17:19 . 2009-02-15 23:10 159112 c:\windows\SYSTEM32\ZoneLabs\httpblocker.dll
+ 2009-04-25 17:19 . 2008-03-17 15:52 813568 c:\windows\SYSTEM32\ZoneLabs\dbghelp.dll
- 2009-02-07 22:05 . 2008-03-17 16:52 813568 c:\windows\SYSTEM32\ZoneLabs\dbghelp.dll
+ 2009-04-25 17:19 . 2009-02-15 23:10 103816 c:\windows\SYSTEM32\zlcommdb.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 109960 c:\windows\SYSTEM32\vsxml.dll
+ 2009-04-25 17:17 . 2009-02-15 23:10 482184 c:\windows\SYSTEM32\vsutil.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 309128 c:\windows\SYSTEM32\vspubapi.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 107912 c:\windows\SYSTEM32\vsmonapi.dll
+ 2009-04-25 17:17 . 2009-02-15 23:10 229256 c:\windows\SYSTEM32\vsinit.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 353672 c:\windows\SYSTEM32\vsdatant.sys
+ 2009-04-25 17:17 . 2009-02-15 23:10 110472 c:\windows\SYSTEM32\vsdata.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 1648520 c:\windows\SYSTEM32\ZoneLabs\vsruledb.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 2402184 c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
+ 2009-04-25 17:19 . 2008-11-17 01:23 1512928 c:\windows\SYSTEM32\ZoneLabs\srescan.dll
+ 2009-04-25 17:18 . 2009-02-15 23:10 1536392 c:\windows\SYSTEM32\ZoneLabs\lib\zpy.zip.dll
+ 2009-04-25 17:19 . 2008-12-15 00:11 10465257 c:\windows\SYSTEM32\ZoneLabs\zlasdbup.dat
+ 2009-04-25 17:19 . 2008-12-15 00:11 10465257 c:\windows\SYSTEM32\ZoneLabs\spyware.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HostManager"="c:\program files\Common Files\AOL\1223586317\ee\AOLSoftware.exe" [2006-11-14 50736]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-14 98304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk.disabled]
backup=c:\windows\pss\Kodak EasyShare software.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
backup=c:\windows\pss\Microsoft Office.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^mark turner^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^mark turner^Start Menu^Programs^Startup^SpywareGuard.lnk]
backup=c:\windows\pss\SpywareGuard.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOLService"=2 (0x2)
"iPodService"=3 (0x3)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"GSICONEXE"=gsicon.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\AOL\\1173459437\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1173459437\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AOL 9.0 VR\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1223586317\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\Drivers\ousbehci.sys [2002-12-24 39040]
R3 MEMSWEEP2;MEMSWEEP2; [x]
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2002-12-24 54016]
R3 USTOR;Verbatim Store 'n' Go;c:\windows\system32\DRIVERS\UStork.sys [2003-04-02 19762]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-03-03 266240]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-04-04 24344]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - VSMON
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94117d80-7c5d-11d9-977f-00038a000015}]
\Shell\AutoRun\command - setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c87294d6-a05d-11dd-8f54-00038a000015}]
\Shell\access\command - e:\.\sgportable\SGPortable.exe
\Shell\AutoRun\command - e:\.\sgportable\SGPortable.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e53405bd-8b29-11dd-a85a-00038a000015}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-25 c:\windows\Tasks\User_Feed_Synchronization-{B5C1C72B-289E-42A9-835B-6634B3341A9F}.job
- c:\windows\system32\msfeedssync.exe [2006-04-13 11:58]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &AOL Toolbar search
IE: E&xport to Microsoft Excel
DPF: DirectAnimation Java Classes - [URL]file://c:\windows\Java\classes\dajava.cab[/URL]
DPF: Microsoft XML Parser for Java
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 19:11
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\65.tmp"
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-3369489060-662800114-1466839097-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="CEB59035BAE3BA6EFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794BA7FD869164D67949DB7CE019D40AA5CA8A2428A09D4F53E7F5775F3C720A3862044937B62B8997D624CABC010CEC361260F2D17ED2CD9494BFA9FD7A64C0E3AF4F9B335DA89FCCA2D2618AB68E3F050418AB17776C5782A04838BA05B684A8A4F9AAB984442F95F5F872CDDBE807C437CAEA93E839C7C7E72B97E9C1BF47E9C59C04ECA4A7E550CAA7E6577538469CFAE15E1278AF0C548B3EA33BD323188FB9409E3982CA38A839397B8BCFB92EC75015F9A8D1546E8EBB468D6187DA27896D616A6EFBD5445DDF5650E149F12F192F4B08AF13FE52C34BB858C67EF1392BF488CC4E265FDE7967F00418B3A2E176CDAAF597A3CDB0CCC5F1CE9898F8F502CE417622A1FCC080CB08123505D56AF2BDA8924EECFF736C70B8878FE76685DF6FD63969F7AB2ED82DE08F6B82B3D4159EEEBFB3D53CE109B7FA9B7EFD3B31A9FB822EB421A671A21B5B6743BDE5A87EAE68CE6753437319FCFE6182468491C860E0A6235B564BA73B1B34974C2696F3264225CCC744F63936427000B0B482B74CAD3EB3F97E6376826AA13A437E79CE85FE74B1CA8762896F8D74934A61043120FBD6F4B9F7228D3B6C868AE311B6429A19D9360F9CF32301CE8435839C6966D4F8848E7C24DDBEC5DC1CE9B390853F4CA87893A264568C8B2CF2E5055D5887AD47B464805FED34FE9CCC416EA7B26304D6DF6EEFE01E62D748442992069310FBC5EAB44045945FAFC23386EF583D024EE9999E6E8F47D0F6D84285655725EE4F781AFD4EEEB9A518B840F199FF377FB4BDDA1B05CD3AF84FCCEFC4C42288E1BCA337C1A080EEE9C60B21F2DBF637749D18CB3FAE717B407566AD3E6498079344D4B32D7A6D8168519F4376743AE5E7FC4FB6A9C2D7977F2035E33B1DF3C84166E236472372B959D279594A72AF16D773B0BD08CE07C188BDCB7945F135ACD0B6C971877382825D550636DF087929CEC1E96E869CB64EAF31487E5C6FD9FA5C1DC8B4A943CB43488AE32686B05B71602AF04A8F2CBB776B6AD618960D49610CCA964681B6C7AE26F3156A164DECBB8B97FB9770E5144F6C07FDED4CB5D0CC6A30F0B570582E8882A16AB2AC9E4FD16FCF5A433C46319DAE4B71C92C8F190351E1D6CECEB4E32AC3CF61105317BC275974CB22D43998B46D6D33A013F8179FCFC39FB738E324B8D8C3C692A519B4FD13A14D8A85AA2321231A85E51370C6070E09B2FAB4F276E9C67231A0606CF9ED7F92D8E61FE3F6AC66F5DAF29E02A221AD152FEC636379B80FA3D8FF850B9F1EBCDD04F024A4354A6F5EE5CA40D055FB5B83CE86EEC039211DBF137D7538D4B2493879BAD789953A308"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1528)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\windows\system32\klogon.dll
- - - - - - - > 'lsass.exe'(1632)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
- - - - - - - > 'explorer.exe'(3316)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\windows\system32\msi.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\scrchpg.dll
.
Completion time: 2009-04-25 19:15
ComboFix-quarantined-files.txt 2009-04-25 18:15
ComboFix2.txt 2009-04-25 17:05
ComboFix3.txt 2009-04-24 19:57
Pre-Run: 8,306,122,752 bytes free
Post-Run: 8,295,841,792 bytes free
303 --- E O F --- 2009-04-15 12:490 -
All done, many thanks Rik your a star!
:beer:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.8K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.8K Work, Benefits & Business
- 600.2K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards