We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Please Help Laptop Died
Options
Comments
-
Is this safe for my everyday things now? Also how often do I need to be running scans etc ?
I repeat, it's only safe if your machine is 'clean'. Has all the suspect malware been removed? Are you still experiencing any problems? Periodically running scans is fine IMO; perhaps every 2/3 weeks? Some might suggest less/more. Depends on browsing habits? I must admit, I only run a scan if I notice any problems and a deviation from the normal browsing experience - but that's me
. So, as I say, can be a personal preference really.
HTH.0 -
I'm blown away after reading this thread just how quickly you got the OP back up and running safely.....WELL DONE!
....Just a quick question - I use firefox and when you mention no script is this a setting that you have to set yourself or is it done by default? If so, need to do it myself, where do I find the box to tick please? Thanks
Be kinder than necessary, for everyone you meet is fighting some kind of battle. :A0 -
Download COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Switch off your anti virus and follow the simple instructions
Post the WHOLE of the log it creates (split into sections if too big):idea:0 -
I can honestly say this laptop is working better now than it has done for a while. The scans are not finding anything now at all I have installed everything you suggested and checked evrything over and over and still it is coming back clean I cant beleive just how well its all working now. Many many thanks0
-
....Just a quick question - I use firefox and when you mention no script is this a setting that you have to set yourself or is it done by default? If so, need to do it myself, where do I find the box to tick please? Thanks
It's a FF add-on which you download. Recommended :cool:0 -
ComboFix 10-01-16.04 - jacqui 17/01/2010 16:01:58.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.246 [GMT 0:00]
Running from: c:\documents and settings\jacqui\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100117-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\EventSystem.log
c:\windows\system32\AutoRun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_MYWEBSEARCHSERVICE
\Service_MyWebSearchService
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.
2010-01-17 14:11 . 2009-11-02 20:42 195456
w- c:\windows\system32\MpSigStub.exe
2010-01-17 14:07 . 2010-01-17 14:07
d
w- c:\windows\system32\wbem\Repository
2010-01-17 13:51 . 2010-01-17 14:06
d
w- C:\32788R22FWJFW(2)
2010-01-17 12:28 . 2010-01-17 12:28
d
w- c:\program files\Windows Defender
2010-01-16 22:57 . 2010-01-16 22:57
d
w- c:\program files\Trend Micro
2010-01-13 16:03 . 2010-01-13 16:03
d
w- c:\documents and settings\NetworkService\Application Data\HPAppData
2010-01-13 11:13 . 2009-11-21 15:51 471552
w- c:\windows\system32\dllcache\aclayers.dll
2010-01-07 14:20 . 2010-01-07 14:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-05 16:19 . 2010-01-05 16:19
d
w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-01-04 18:33 . 2010-01-04 18:33
d
w- c:\documents and settings\jacqui\Application Data\Trusteer
2010-01-04 18:33 . 2010-01-04 18:33
d
w- c:\program files\Trusteer
2010-01-04 18:32 . 2010-01-04 18:32
d
w- c:\documents and settings\All Users\Application Data\Trusteer
2010-01-03 13:45 . 2010-01-03 13:45
d
w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-03 13:40 . 2010-01-03 13:40
d
w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-01-02 18:40 . 2010-01-02 18:40
d
w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 16:20 . 2009-03-18 19:02
d
w- c:\program files\DNA
2010-01-17 16:20 . 2009-03-18 19:02
d
w- c:\documents and settings\jacqui\Application Data\DNA
2010-01-17 16:20 . 2007-06-23 11:08
d---a-w- c:\documents and settings\All Users\Application Data\temp
2010-01-16 21:54 . 2009-08-21 17:33
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-01-16 21:54 . 2010-01-16 21:54 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 16:07 . 2009-08-21 17:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-08-21 17:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 13:40 . 2007-06-18 22:11
d
w- c:\program files\Google
2010-01-02 18:41 . 2010-01-02 18:40 2605832 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
2009-12-06 10:38 . 2009-11-28 20:33
d
w- c:\program files\Microsoft Silverlight
2009-12-03 17:41 . 2007-06-21 10:03 56720 ----a-w- c:\documents and settings\jacqui\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-03 16:38 . 2009-12-03 16:38
d
w- c:\program files\MSBuild
2009-12-03 16:38 . 2009-12-03 16:38
d
w- c:\program files\Reference Assemblies
2009-11-28 20:33 . 2009-05-03 12:23
d
w- c:\program files\Windows Live
2009-11-28 20:28 . 2009-11-28 20:28
d
w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-28 20:16 . 2007-06-18 22:00
d
w- c:\program files\Java
2009-11-28 20:14 . 2009-11-28 20:14 152576 ----a-w- c:\documents and settings\jacqui\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-28 20:14 . 2009-11-09 15:26 79488 ----a-w- c:\documents and settings\jacqui\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-28 20:13 . 2009-11-28 20:10 1924440 ----a-w- c:\documents and settings\jacqui\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-11-24 23:54 . 2009-08-20 19:33 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-08-20 19:34 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-08-20 19:34 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-08-20 19:34 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-08-20 19:34 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-08-20 19:34 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-08-20 19:34 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-08-20 19:34 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-08-20 19:34 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2004-08-10 11:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:46 . 2004-08-10 11:51 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 11:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 11:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-23 09:33 . 2007-06-24 16:37 56720 ----a-w- c:\documents and settings\kirsty.JACNORM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 05:38 . 2004-08-10 11:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 11:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 22:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.0 -
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-01-27 251264]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2007-07-21 40960]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-17 323392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-03 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 282624]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 2037240]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-28 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-18 24576]
Ulead Photo Express 3.0 SE Calendar Checker.lnk - c:\program files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe [2009-2-10 61440]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-8-1 670256]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [20/08/2009 19:34 114768]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/12/2009 13:37 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/12/2009 13:37 337000]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [20/08/2009 19:34 20560]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/12/2009 13:37 972008]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/01/2010 13:40 135664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 13:39]
2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 13:39]
2010-01-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
Supplementary Scan
.
uStart Page = hxxp://uk.yahoo.com/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm080YYGB&fl=0&ptb=0GcYHhZFMf0xOrC89UNvxQ&url=http://www.uk.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=pBc5b8HngTFmGfqSqLdCvNpQ0u8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_5F1A57F0B9B89E2E.dll/cmsidewiki.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?c9c319d62ed648bbbac397f24f860cb3
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?c9c319d62ed648bbbac397f24f860cb3
FF - ProfilePath - c:\documents and settings\jacqui\Application Data\Mozilla\Firefox\Profiles\1in8irci.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZSYYYYYYYYGB&fl=0&ptb=TzLobXdPa6GYUuKqxvZ1RQ&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=kwd&n=77ce525d&searchfor=
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Magentic - c:\progra~1\Magentic\bin\Magentic.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 16:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(7936)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\stsystra.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\IncrediMail\bin\IMApp.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\windows\system32\ssmypics.scr
.
**************************************************************************
.
Completion time: 2010-01-17 16:28:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-17 16:28
Pre-Run: 56,036,483,072 bytes free
Post-Run: 57,865,306,112 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - CC1F137BC5F85F4A4B68E07207A688A50 -
TICK these in hijack this and click to FIX them ~
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebI...6-6D5536C585C9}
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
Open notepad and copy/paste the text in RED below
File::
c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_ l1.exe
c:\program files\DNA\btdna.exe
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
:idea:0 -
ComboFix 10-01-16.04 - jacqui 17/01/2010 18:43:34.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.349 [GMT 0:00]
Running from: c:\documents and settings\jacqui\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100117-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.
2010-01-17 14:11 . 2009-11-02 20:42 195456
w- c:\windows\system32\MpSigStub.exe
2010-01-17 14:07 . 2010-01-17 14:07
d
w- c:\windows\system32\wbem\Repository
2010-01-17 13:51 . 2010-01-17 14:06
d
w- C:\32788R22FWJFW(2)
2010-01-17 12:28 . 2010-01-17 12:28
d
w- c:\program files\Windows Defender
2010-01-16 22:57 . 2010-01-16 22:57
d
w- c:\program files\Trend Micro
2010-01-16 21:54 . 2010-01-16 21:54 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-13 16:03 . 2010-01-13 16:03
d
w- c:\documents and settings\NetworkService\Application Data\HPAppData
2010-01-13 11:13 . 2009-11-21 15:51 471552
w- c:\windows\system32\dllcache\aclayers.dll
2010-01-07 14:20 . 2010-01-07 14:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-05 16:19 . 2010-01-05 16:19
d
w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-01-04 18:33 . 2010-01-04 18:33
d
w- c:\documents and settings\jacqui\Application Data\Trusteer
2010-01-04 18:33 . 2010-01-04 18:33
d
w- c:\program files\Trusteer
2010-01-04 18:32 . 2010-01-04 18:32
d
w- c:\documents and settings\All Users\Application Data\Trusteer
2010-01-03 13:45 . 2010-01-03 13:45
d
w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-03 13:40 . 2010-01-03 13:40
d
w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-01-02 18:40 . 2010-01-02 18:41 2605832 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
2010-01-02 18:40 . 2010-01-02 18:40
d
w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 18:10 . 2009-03-18 19:02
d
w- c:\documents and settings\jacqui\Application Data\DNA
2010-01-17 16:20 . 2009-03-18 19:02
d
w- c:\program files\DNA
2010-01-17 16:20 . 2007-06-23 11:08
d---a-w- c:\documents and settings\All Users\Application Data\temp
2010-01-16 21:54 . 2009-08-21 17:33
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-01-07 16:07 . 2009-08-21 17:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-08-21 17:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 13:40 . 2007-06-18 22:11
d
w- c:\program files\Google
2009-12-06 10:38 . 2009-11-28 20:33
d
w- c:\program files\Microsoft Silverlight
2009-12-03 17:41 . 2007-06-21 10:03 56720 ----a-w- c:\documents and settings\jacqui\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-03 16:38 . 2009-12-03 16:38
d
w- c:\program files\MSBuild
2009-12-03 16:38 . 2009-12-03 16:38
d
w- c:\program files\Reference Assemblies
2009-11-28 20:33 . 2009-05-03 12:23
d
w- c:\program files\Windows Live
2009-11-28 20:28 . 2009-11-28 20:28
d
w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-28 20:16 . 2007-06-18 22:00
d
w- c:\program files\Java
2009-11-28 20:14 . 2009-11-28 20:14 152576 ----a-w- c:\documents and settings\jacqui\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-28 20:14 . 2009-11-09 15:26 79488 ----a-w- c:\documents and settings\jacqui\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-28 20:13 . 2009-11-28 20:10 1924440 ----a-w- c:\documents and settings\jacqui\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-11-24 23:54 . 2009-08-20 19:33 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-08-20 19:34 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-08-20 19:34 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-08-20 19:34 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-08-20 19:34 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-08-20 19:34 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-08-20 19:34 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-08-20 19:34 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-08-20 19:34 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2004-08-10 11:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:46 . 2004-08-10 11:51 832512
w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 11:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 11:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-23 09:33 . 2007-06-24 16:37 56720 ----a-w- c:\documents and settings\kirsty.JACNORM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 05:38 . 2004-08-10 11:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 11:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 22:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-01-27 251264]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2007-07-21 40960]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-03 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 282624]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 2037240]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-28 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-18 24576]
Ulead Photo Express 3.0 SE Calendar Checker.lnk - c:\program files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe [2009-2-10 61440]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-8-1 670256]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [20/08/2009 19:34 114768]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/12/2009 13:37 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/12/2009 13:37 337000]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [20/08/2009 19:34 20560]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/12/2009 13:37 972008]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/01/2010 13:40 135664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 13:39]
2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 13:39]
2010-01-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
Supplementary Scan
.
uStart Page = hxxp://uk.yahoo.com/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm080YYGB&fl=0&ptb=0GcYHhZFMf0xOrC89UNvxQ&url=http://www.uk.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=pBc5b8HngTFmGfqSqLdCvNpQ0u8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_5F1A57F0B9B89E2E.dll/cmsidewiki.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?c9c319d62ed648bbbac397f24f860cb3
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?c9c319d62ed648bbbac397f24f860cb3
FF - ProfilePath - c:\documents and settings\jacqui\Application Data\Mozilla\Firefox\Profiles\1in8irci.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZSYYYYYYYYGB&fl=0&ptb=TzLobXdPa6GYUuKqxvZ1RQ&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=kwd&n=77ce525d&searchfor=
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 18:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(20428)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\program files\IncrediMail\bin\B4ImApp.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-17 18:53:54
ComboFix-quarantined-files.txt 2010-01-17 18:53
ComboFix2.txt 2010-01-17 16:28
Pre-Run: 57,929,596,928 bytes free
Post-Run: 57,906,626,560 bytes free
- - End Of File - - 1C6787C13DAC5EBEC9EEE0939D4022100 -
You didnt do that properly
You need to DRAG the notepad file ONTO the combofix icon for it to auto start:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.1K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.7K Spending & Discounts
- 244.1K Work, Benefits & Business
- 599.2K Mortgages, Homes & Bills
- 177K Life & Family
- 257.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards