A few things before we start....
1. Please Read All Instructions Carefully.
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you.
4. If you have to go away for an extended period of time, let me know.
5. Please continue to respond until I give you the "All Clear".
(Just because you can't see a problem doesn't mean it isn't there)
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.
Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:
Please also ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should get a prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
First, please download JavaRa to your desktop and unzip it to its own folder
Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
================
Next,
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Driver::
Nsv04
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your new reply, as well as let me know how your PC is running now.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
ComboFix 09-12-20.08 - murdo 21/12/2009 21:46:15.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.260 [GMT 0:00]
Running from: c:\documents and settings\murdo\Desktop\KittyFix.exe
Command switches used :: c:\documents and settings\murdo\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_NSV04
\Service_Nsv04
Hi chiaz sorry for delay. getting back to you. when I click big green button it asks for Install ActiveX control however when I then click on this nothing happens and i have no yellow bar
Wednesday, December 30, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, December 30, 2009 12:12:41
Records in database: 3415859
Scan settings
scan using the following database
extended
Scan archives
yes
Scan e-mail databases
yes
Scan area
My Computer
C:\
D:\
E:\
F:\
G:\
H:\
N:\
Scan statistics
Objects scanned
59874
Threats found
8
Infected objects found
13
Suspicious objects found
0
Scan duration
02:35:27
File name Threat Threats count
C:\Documents and Settings\murdo\Local Settings\Application Data\Identities\{32F6782C-787B-43D8-9EF0-36FE3E02BDE1}\Microsoft\Outlook Express\Deleted Items.dbx
Infected: Worm.Win32.AutoRun.lwx
1
C:\Documents and Settings\murdo\Local Settings\temp\pdfupd.exe
Infected: Trojan.Win32.FraudPack.ahwr
1
C:\Documents and Settings\murdo\Local Settings\Temporary Internet Files\Content.IE5\LO99R99B\ms307[2].exe
Infected: Trojan.Win32.FraudPack.ahwr
1
C:\Documents and Settings\murdo\My Documents\Incomplete\Preview-T-4304538-simon howie.wma
Infected: Trojan-Downloader.WMA.Wimad.y
1
C:\Documents and Settings\murdo\My Documents\My Music\dixie chicks country.mp3
Infected: Trojan-Downloader.WMA.GetCodec.c
1
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
File::
C:\Documents and Settings\murdo\Local Settings\temp\pdfupd.exe
C:\Documents and Settings\murdo\Local Settings\Temporary Internet Files\Content.IE5\LO99R99B\ms307[2].exe
C:\Documents and Settings\murdo\My Documents\Incomplete\Preview-T-4304538-simon howie.wma
C:\Documents and Settings\murdo\My Documents\My Music\dixie chicks country.mp3
C:\Documents and Settings\murdo\My Documents\My Music\thunder rolls garth brookes.mp3
C:\Documents and Settings\murdo\My Documents\My Videos\Briana Banks Horse Stable Sex.avi
C:\Documents and Settings\murdo\My Documents\My Videos\my best friends mom in front of new webcam.mpg
C:\Documents and Settings\murdo\My Documents\My Videos\simon howie.wma
C:\Documents and Settings\murdo\My Documents\My Videos\the pogues VBR.mp3
C:\Documents and Settings\murdo\My Documents\My Videos\the pogues.mp3
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop. Say Yes if asked to replace.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your new reply, as well as let me know how your PC is running now.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
I think our work is done here - your PC should be clean now.
It's time to remove ComboFix.
Go to to Start > Run
Type in box
combofix /uninstall
Note: the space between the X and the /u
Press Enter.
This command will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Even if you have no more queries, I would appreciate if you can reply once more to this thread so that I will be able to have this archived. Thanks.
Comments
Scan saved at 19:30:46, on 15/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\MagicRotation\MagicPvt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\murdo\LOCALS~1\Temp\richtx64.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\vmpro\toolbar.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\murdo\LOCALS~1\Temp\wscsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\mk2cosorth.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [MagicRotation] C:\Program Files\MagicRotation\MagicPvt.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhereSphere] C:\Documents and Settings\murdo\Application Data\WhereSphere\wheresphere.exe
O4 - HKCU\..\Run: [SfKg6wIPuS] C:\Documents and Settings\murdo\Application Data\Microsoft\Windows\oulwsv.exe
O4 - HKCU\..\Run: [richtx64.exe] C:\DOCUME~1\murdo\LOCALS~1\Temp\richtx64.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Free\MailWasher.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: VinylMaster Pro Toolbar.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201081352296
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF5592DE-8E44-4887-AC67-2D51733BB04E}: NameServer = 193.36.79.101 193.36.79.100
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate1ca3499e6bd40e) (gupdate1ca3499e6bd40e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
--
End of file - 6644 bytes
A few things before we start....
1. Please Read All Instructions Carefully.
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you.
4. If you have to go away for an extended period of time, let me know.
5. Please continue to respond until I give you the "All Clear".
(Just because you can't see a problem doesn't mean it isn't there)
Please download Malwarebytes' Anti-Malware by clicking the link below:
Malwarebytes Anti-Malware - Reviews and free Malwarebytes Anti-Malware downloads at Download.com
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.
Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:
Go here ======> A guide and tutorial on using ComboFix <====== Go here
For now, the download link is:
http://download.bleepingcomputer.com/sUBs/Beta/KittyFix.exe
Please also ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should get a prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:22:27, on 20/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\MagicRotation\MagicPvt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\vmpro\toolbar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\mk2cosorth.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [MagicRotation] C:\Program Files\MagicRotation\MagicPvt.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Free\MailWasher.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: VinylMaster Pro Toolbar.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201081352296
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF5592DE-8E44-4887-AC67-2D51733BB04E}: NameServer = 193.36.79.100 193.36.79.101
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
--
End of file - 5733 bytes
Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
20/12/2009 14:43:23
mbam-log-2009-12-20 (14-43-23).txt
Scan type: Quick Scan
Objects scanned: 113908
Time elapsed: 5 minute(s), 3 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 11
Memory Processes Infected:
C:\Program Files\AntiMalware\antimalware.exe (Rogue.AntiMalware) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\CoreGuard (Rogue.CoreguardAV) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfkg6wipus (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antimalware (Rogue.AntiMalware) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Documents and Settings\murdo\Start Menu\Programs\PlayMP3z (Adware.PLayMP3z) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\murdo\Local Settings\Temp\92.exe (Adware.Mirar) -> Quarantined and deleted successfully.
C:\Documents and Settings\murdo\Local Settings\Temp\uac1d94.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\murdo\Local Settings\Temp\uacb9f6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job (Rogue.AntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\AntiMalware\antimalware.exe (Rogue.AntiMalware) -> Delete on reboot.
C:\Program Files\AntiMalware\help.ico (Rogue.AntiMalware) -> Quarantined and deleted successfully.
C:\Program Files\AntiMalware\malw.db (Rogue.AntiMalware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiMalware\AntiMalware Support.lnk (Rogue.AntiMalware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiMalware\AntiMalware.lnk (Rogue.AntiMalware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiMalware\Uninstall AntiMalware.lnk (Rogue.AntiMalware) -> Quarantined and deleted successfully.
ComboFix 09-12-19.03 - murdo 20/12/2009 15:07:01.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.334 [GMT 0:00]
Running from: c:\documents and settings\murdo\Desktop\KittyFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Start Menu\Programs\AntiMalware
c:\program files\AntiMalware
c:\windows\system32\drivers\H8SRTngdtacrnai.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\h8srtcfg.dat
c:\windows\system32\H8SRTjokaorpleq.dll
c:\windows\system32\H8SRTqodwjuwuou.dll
c:\windows\system32\H8SRTykrylasjqe.dat
c:\windows\system32\IEDFix.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\srcr.dat
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Service_H8SRTd.sys
\Legacy_H8SRTd.sys
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.
2009-12-20 14:56 . 2009-12-20 14:58
d
w- C:\KittyFix
2009-12-20 14:35 . 2009-12-20 14:35
d
w- c:\documents and settings\murdo\Application Data\Malwarebytes
2009-12-20 14:25 . 2009-12-20 14:35
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 13:26 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 13:26 . 2009-12-20 13:26
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-20 13:26 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 13:57 . 2009-12-15 19:05
d
w- c:\program files\STOPzilla!
2009-12-15 13:45 . 2009-12-20 15:15
d
w- c:\documents and settings\murdo\Application Data\MailWasherFree
2009-12-08 19:00 . 2009-12-20 14:19
d
w- c:\program files\xx.exe
2009-12-08 18:19 . 2009-12-08 18:21
d
w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-07 19:25 . 2009-12-07 19:26
d
w- c:\documents and settings\murdo\Application Data\Antispyware
2009-12-03 20:40 . 1997-09-05 10:23 247184 ----a-w- c:\windows\UNINST16.EXE
2009-12-03 20:40 . 1995-07-13 17:43 26768 ----a-w- c:\windows\system\CTL3D.DLL
2009-12-03 20:40 . 2009-12-03 20:40
d
w- c:\documents and settings\murdo\WINDOWS
2009-12-02 16:44 . 2009-12-02 16:44
d
w- c:\program files\iPod
2009-12-02 16:43 . 2009-12-02 16:46
d
w- c:\program files\iTunes
2009-12-02 16:30 . 2009-12-02 16:32
d
w- c:\program files\QuickTime
2009-12-02 15:31 . 2009-12-02 15:31 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-27 17:11 . 2009-11-27 17:11
d
w- C:\My Music
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 15:14 . 2008-01-16 17:49 16 ----a-w- c:\windows\system32\magicpvt.dat
2009-12-20 15:14 . 2008-04-03 20:19
d
w- c:\program files\Google
2009-12-20 15:14 . 2008-01-16 17:49 32 ----a-w- c:\windows\system32\driver.dat
2009-12-20 15:06 . 2008-01-18 16:29
d
w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-12-20 14:52 . 2009-07-28 19:08
d
w- c:\documents and settings\murdo\Application Data\Spotify
2009-12-20 14:44 . 2009-02-03 17:26
d
w- c:\program files\SUPERAntiSpyware
2009-12-20 14:22 . 2008-04-10 15:25
d
w- c:\program files\Common Files\Wise Installation Wizard
2009-12-15 22:25 . 2008-03-02 16:49
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-15 19:06 . 2009-06-22 20:27
d
w- c:\documents and settings\All Users\Application Data\DriverCure
2009-12-15 13:40 . 2008-05-07 08:55
d
w- c:\documents and settings\murdo\Application Data\MailWasherPro
2009-12-08 18:05 . 2008-02-26 09:58
d
w- c:\documents and settings\murdo\Application Data\Samsung
2009-12-08 18:05 . 2008-01-16 17:12
d--h--w- c:\program files\InstallShield Installation Information
2009-12-08 07:11 . 2008-01-18 16:30
d
w- c:\documents and settings\All Users\Application Data\SITEguard
2009-12-07 18:14 . 2008-08-31 18:07
d
w- c:\program files\DevalVR
2009-12-02 16:44 . 2008-03-09 11:43
d
w- c:\program files\Common Files\Apple
2009-10-29 05:48 . 2004-08-03 22:56 662016 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 10:08 . 2009-10-27 10:08 545424 ----a-r- c:\windows\system32\SZComp5.dll
2009-10-27 10:08 . 2009-10-27 10:08 402064 ----a-r- c:\windows\system32\SZBase5.dll
2009-10-27 09:59 . 2009-10-27 09:59 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-10-21 06:00 . 2004-08-03 22:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-03 22:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-03 21:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 13:40 . 2009-10-20 13:40 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-10-20 13:40 . 2009-10-20 13:40 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-10-20 13:38 . 2009-10-20 13:38 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-10-20 13:37 . 2009-10-20 13:37 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-10-20 13:37 . 2009-10-20 13:37 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-10-20 13:35 . 2009-10-20 13:35 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-10-20 13:35 . 2009-10-20 13:35 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-10-20 13:35 . 2009-10-20 13:35 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-10-20 13:31 . 2009-10-20 13:31 729088 ----a-r- c:\windows\system32\IS3Base5.dll
2009-10-13 10:53 . 2004-08-03 22:56 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-03 22:56 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-03 22:56 112128 ----a-w- c:\windows\system32\rastls.dll
2009-09-25 05:56 . 2004-08-03 22:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2008-02-22 09:50 . 2008-12-21 11:26 262144 ----a-w- c:\program files\Uninstall Spy Blocker.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2005-11-21 1581056]
"MagicRotation"="c:\program files\MagicRotation\MagicPvt.exe" [2008-01-18 1089536]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\murdo\Start Menu\Programs\Startup\
MailWasherPro.lnk - c:\program files\FireTrust\MailWasher Free\MailWasher.exe [2008-5-7 19451736]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2009-4-12 344064]
VinylMaster Pro Toolbar.lnk - c:\documents and settings\murdo\Application Data\Microsoft\Installer\{BA9030CF-606B-42F6-ACD5-BB95219EED68}\toolbar.exe [2008-1-17 496128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nsv04.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/05/2009 13:13 61328]
R1 magicpvt;magicpvt;c:\windows\system32\drivers\magicpvt.sys [16/01/2008 17:49 9984]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/05/2009 13:13 61328]
S0 Nsv04;Nsv04;c:\windows\system32\Drivers\Nsv04.sys --> c:\windows\system32\Drivers\Nsv04.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
.
Supplementary Scan
.
uStart Page = hxxp://www.orange.co.uk/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
HKCU-Run-WhereSphere - c:\documents and settings\murdo\Application Data\WhereSphere\wheresphere.exe
MSConfigStartUp-AntiMalware - c:\program files\AntiMalware\antimalware.exe
MSConfigStartUp-Antispyware - c:\program files\Antispyware\Antispyware.exe
MSConfigStartUp-DriverCure - c:\program files\ParetoLogic\DriverCure\DriverCure.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 15:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@DACL=(02 0000)
@=""
.
DLLs Loaded Under Running Processes
- - - - - - - > 'lsass.exe'(632)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
.
Other Running Processes
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\Mixer.exe
c:\vmpro\toolbar.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-20 15:19:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-20 15:19
Pre-Run: 129,692,262,400 bytes free
Post-Run: 131,807,346,688 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 6D6B897F6A81EA692F56649D11ED85E7
It's IMPORTANT to carry out the instructions in the sequence listed below.
First, please download JavaRa to your desktop and unzip it to its own folder
================
Next,
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your new reply, as well as let me know how your PC is running now.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
ComboFix 09-12-20.08 - murdo 21/12/2009 21:46:15.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.260 [GMT 0:00]
Running from: c:\documents and settings\murdo\Desktop\KittyFix.exe
Command switches used :: c:\documents and settings\murdo\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_NSV04
\Service_Nsv04
((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.
2009-12-20 14:56 . 2009-12-20 14:58
d
w- C:\KittyFix
2009-12-20 14:35 . 2009-12-20 14:35
d
w- c:\documents and settings\murdo\Application Data\Malwarebytes
2009-12-20 14:25 . 2009-12-20 14:35
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 13:26 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 13:26 . 2009-12-20 13:26
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-20 13:26 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 13:57 . 2009-12-15 19:05
d
w- c:\program files\STOPzilla!
2009-12-15 13:45 . 2009-12-21 21:53
d
w- c:\documents and settings\murdo\Application Data\MailWasherFree
2009-12-08 19:00 . 2009-12-20 14:19
d
w- c:\program files\xx.exe
2009-12-08 18:19 . 2009-12-08 18:21
d
w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-07 19:25 . 2009-12-07 19:26
d
w- c:\documents and settings\murdo\Application Data\Antispyware
2009-12-03 20:40 . 1997-09-05 10:23 247184 ----a-w- c:\windows\UNINST16.EXE
2009-12-03 20:40 . 1995-07-13 17:43 26768 ----a-w- c:\windows\system\CTL3D.DLL
2009-12-03 20:40 . 2009-12-03 20:40
d
w- c:\documents and settings\murdo\WINDOWS
2009-12-02 16:44 . 2009-12-02 16:44
d
w- c:\program files\iPod
2009-12-02 16:43 . 2009-12-02 16:46
d
w- c:\program files\iTunes
2009-12-02 16:30 . 2009-12-02 16:32
d
w- c:\program files\QuickTime
2009-11-27 17:11 . 2009-11-27 17:11
d
w- C:\My Music
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 21:52 . 2008-01-16 17:49 16 ----a-w- c:\windows\system32\magicpvt.dat
2009-12-21 21:52 . 2008-01-16 17:49 32 ----a-w- c:\windows\system32\driver.dat
2009-12-21 21:25 . 2008-04-01 14:49
d
w- c:\program files\Java
2009-12-20 15:14 . 2008-04-03 20:19
d
w- c:\program files\Google
2009-12-20 15:06 . 2008-01-18 16:29
d
w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-12-20 14:52 . 2009-07-28 19:08
d
w- c:\documents and settings\murdo\Application Data\Spotify
2009-12-20 14:44 . 2009-02-03 17:26
d
w- c:\program files\SUPERAntiSpyware
2009-12-20 14:22 . 2008-04-10 15:25
d
w- c:\program files\Common Files\Wise Installation Wizard
2009-12-15 22:25 . 2008-03-02 16:49
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-15 19:06 . 2009-06-22 20:27
d
w- c:\documents and settings\All Users\Application Data\DriverCure
2009-12-15 13:40 . 2008-05-07 08:55
d
w- c:\documents and settings\murdo\Application Data\MailWasherPro
2009-12-08 18:05 . 2008-02-26 09:58
d
w- c:\documents and settings\murdo\Application Data\Samsung
2009-12-08 18:05 . 2008-01-16 17:12
d--h--w- c:\program files\InstallShield Installation Information
2009-12-08 07:11 . 2008-01-18 16:30
d
w- c:\documents and settings\All Users\Application Data\SITEguard
2009-12-07 18:14 . 2008-08-31 18:07
d
w- c:\program files\DevalVR
2009-12-02 16:44 . 2008-03-09 11:43
d
w- c:\program files\Common Files\Apple
2009-12-02 15:31 . 2009-12-02 15:31 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 05:48 . 2004-08-03 22:56 662016
w- c:\windows\system32\wininet.dll
2009-10-27 10:08 . 2009-10-27 10:08 545424 ----a-r- c:\windows\system32\SZComp5.dll
2009-10-27 10:08 . 2009-10-27 10:08 402064 ----a-r- c:\windows\system32\SZBase5.dll
2009-10-27 09:59 . 2009-10-27 09:59 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-10-21 06:00 . 2004-08-03 22:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-03 22:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-03 21:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 13:40 . 2009-10-20 13:40 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-10-20 13:40 . 2009-10-20 13:40 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-10-20 13:38 . 2009-10-20 13:38 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-10-20 13:37 . 2009-10-20 13:37 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-10-20 13:37 . 2009-10-20 13:37 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-10-20 13:35 . 2009-10-20 13:35 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-10-20 13:35 . 2009-10-20 13:35 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-10-20 13:35 . 2009-10-20 13:35 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-10-20 13:31 . 2009-10-20 13:31 729088 ----a-r- c:\windows\system32\IS3Base5.dll
2009-10-13 10:53 . 2004-08-03 22:56 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-03 22:56 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-03 22:56 112128 ----a-w- c:\windows\system32\rastls.dll
2009-09-25 05:56 . 2004-08-03 22:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2008-02-22 09:50 . 2008-12-21 11:26 262144 ----a-w- c:\program files\Uninstall Spy Blocker.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
Also how's your PC running now?
Thanks again
Let's have you go HERE to run Panda ActiveScan 2.0
http://www.kaspersky.com/kos/eng/partner/default/pages/default/check.html
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, December 30, 2009 12:12:41
Records in database: 3415859
Scan settings
scan using the following database
extended
Scan archives
yes
Scan e-mail databases
yes
Scan area
My Computer
C:\
D:\
E:\
F:\
G:\
H:\
N:\
Scan statistics
Objects scanned
59874
Threats found
8
Infected objects found
13
Suspicious objects found
0
Scan duration
02:35:27
File name
Threat
Threats count
C:\Documents and Settings\murdo\Local Settings\Application Data\Identities\{32F6782C-787B-43D8-9EF0-36FE3E02BDE1}\Microsoft\Outlook Express\Deleted Items.dbx
Infected: Worm.Win32.AutoRun.lwx
1
C:\Documents and Settings\murdo\Local Settings\temp\pdfupd.exe
Infected: Trojan.Win32.FraudPack.ahwr
1
C:\Documents and Settings\murdo\Local Settings\Temporary Internet Files\Content.IE5\LO99R99B\ms307[2].exe
Infected: Trojan.Win32.FraudPack.ahwr
1
C:\Documents and Settings\murdo\My Documents\Incomplete\Preview-T-4304538-simon howie.wma
Infected: Trojan-Downloader.WMA.Wimad.y
1
C:\Documents and Settings\murdo\My Documents\My Music\dixie chicks country.mp3
Infected: Trojan-Downloader.WMA.GetCodec.c
1
C:\Documents and Settings\murdo\My Documents\My Music\thunder rolls garth brookes.mp3
Infected: Trojan-Downloader.WMA.GetCodec.c
1
C:\Documents and Settings\murdo\My Documents\My Videos\Briana Banks Horse Stable Sex.avi
Infected: Trojan-Downloader.WMA.GetCodec.a
1
C:\Documents and Settings\murdo\My Documents\My Videos\my best friends mom in front of new webcam.mpg
Infected: Trojan-Downloader.WMA.GetCodec.e
1
C:\Documents and Settings\murdo\My Documents\My Videos\simon howie.wma
Infected: Trojan-Downloader.WMA.Wimad.y
1
C:\Documents and Settings\murdo\My Documents\My Videos\the pogues VBR.mp3
Infected: Trojan-Downloader.WMA.GetCodec.u
1
C:\Documents and Settings\murdo\My Documents\My Videos\the pogues.mp3
Infected: Trojan-Downloader.WMA.GetCodec.u
1
C:\System Volume Information\_restore{21A0BD0C-D7C0-4866-9054-F45FF3B36330}\RP745\A0134243.exe
Infected: Trojan.Win32.Tdss.aval
1
C:\System Volume Information\_restore{21A0BD0C-D7C0-4866-9054-F45FF3B36330}\RP747\A0134753.exe
Infected: Trojan.Win32.FraudPack.ahwr
1
Selected area has been scanned.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop. Say Yes if asked to replace.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your new reply, as well as let me know how your PC is running now.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
ComboFix 09-12-30.04 - murdo 31/12/2009 14:06:43.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.319 [GMT 0:00]
Running from: c:\documents and settings\murdo\Desktop\KittyFix.exe
Command switches used :: c:\documents and settings\murdo\Desktop\cfscript.txt
FILE ::
"c:\documents and settings\murdo\Local Settings\temp\pdfupd.exe"
"c:\documents and settings\murdo\Local Settings\Temporary Internet Files\Content.IE5\LO99R99B\ms307[2].exe"
"c:\documents and settings\murdo\My Documents\Incomplete\Preview-T-4304538-simon howie.wma"
"c:\documents and settings\murdo\My Documents\My Music\dixie chicks country.mp3"
"c:\documents and settings\murdo\My Documents\My Music\thunder rolls garth brookes.mp3"
"c:\documents and settings\murdo\My Documents\My Videos\Briana Banks Horse Stable Sex.avi"
"c:\documents and settings\murdo\My Documents\My Videos\my best friends mom in front of new webcam.mpg"
"c:\documents and settings\murdo\My Documents\My Videos\simon howie.wma"
"c:\documents and settings\murdo\My Documents\My Videos\the pogues VBR.mp3"
"c:\documents and settings\murdo\My Documents\My Videos\the pogues.mp3Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop. Say Yes if asked to replace."
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\murdo\Local Settings\temp\pdfupd.exe
c:\documents and settings\murdo\Local Settings\Temporary Internet Files\Content.IE5\LO99R99B\ms307[2].exe
c:\documents and settings\murdo\My Documents\Incomplete\Preview-T-4304538-simon howie.wma
c:\documents and settings\murdo\My Documents\My Music\dixie chicks country.mp3
c:\documents and settings\murdo\My Documents\My Music\thunder rolls garth brookes.mp3
c:\documents and settings\murdo\My Documents\My Videos\Briana Banks Horse Stable Sex.avi
c:\documents and settings\murdo\My Documents\My Videos\simon howie.wma
c:\documents and settings\murdo\My Documents\My Videos\the pogues VBR.mp3
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.
2009-12-30 09:54 . 2009-12-30 09:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-30 09:54 . 2009-12-30 09:54 152576 ----a-w- c:\documents and settings\murdo\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-30 09:52 . 2009-12-30 09:53 79488 ----a-w- c:\documents and settings\murdo\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-27 14:30 . 2009-12-27 14:30
d
w- c:\program files\Eltima Software
2009-12-20 14:56 . 2009-12-27 18:11
d
w- C:\KittyFix
2009-12-20 14:35 . 2009-12-20 14:35
d
w- c:\documents and settings\murdo\Application Data\Malwarebytes
2009-12-20 14:25 . 2009-12-20 14:35
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 13:26 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 13:26 . 2009-12-20 13:26
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-20 13:26 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 13:57 . 2009-12-15 19:05
d
w- c:\program files\STOPzilla!
2009-12-15 13:45 . 2009-12-31 10:51
d
w- c:\documents and settings\murdo\Application Data\MailWasherFree
2009-12-08 19:00 . 2009-12-20 14:19
d
w- c:\program files\xx.exe
2009-12-08 18:19 . 2009-12-08 18:21
d
w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-07 19:25 . 2009-12-07 19:26
d
w- c:\documents and settings\murdo\Application Data\Antispyware
2009-12-03 20:40 . 1997-09-05 10:23 247184 ----a-w- c:\windows\UNINST16.EXE
2009-12-03 20:40 . 1995-07-13 17:43 26768 ----a-w- c:\windows\system\CTL3D.DLL
2009-12-03 20:40 . 2009-12-03 20:40
d
w- c:\documents and settings\murdo\WINDOWS
2009-12-02 16:44 . 2009-12-02 16:44
d
w- c:\program files\iPod
2009-12-02 16:43 . 2009-12-02 16:46
d
w- c:\program files\iTunes
2009-12-02 16:30 . 2009-12-02 16:32
d
w- c:\program files\QuickTime
2009-12-02 15:31 . 2009-12-02 15:31 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 13:40 . 2008-01-18 16:29
d
w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-12-30 09:54 . 2008-04-01 14:49
d
w- c:\program files\Java
2009-12-28 11:44 . 2009-12-28 11:44 464 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-12-27 18:14 . 2009-12-27 18:14 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-12-27 18:13 . 2008-01-16 17:49 16 ----a-w- c:\windows\system32\magicpvt.dat
2009-12-27 18:13 . 2008-01-16 17:49 32 ----a-w- c:\windows\system32\driver.dat
2009-12-27 14:32 . 2008-03-02 16:49
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-20 15:14 . 2008-04-03 20:19
d
w- c:\program files\Google
2009-12-20 14:52 . 2009-07-28 19:08
d
w- c:\documents and settings\murdo\Application Data\Spotify
2009-12-20 14:44 . 2009-02-03 17:26
d
w- c:\program files\SUPERAntiSpyware
2009-12-20 14:22 . 2008-04-10 15:25
d
w- c:\program files\Common Files\Wise Installation Wizard
2009-12-15 19:06 . 2009-06-22 20:27
d
w- c:\documents and settings\All Users\Application Data\DriverCure
2009-12-15 13:40 . 2008-05-07 08:55
d
w- c:\documents and settings\murdo\Application Data\MailWasherPro
2009-12-08 18:05 . 2008-02-26 09:58
d
w- c:\documents and settings\murdo\Application Data\Samsung
2009-12-08 18:05 . 2008-01-16 17:12
d--h--w- c:\program files\InstallShield Installation Information
2009-12-08 07:11 . 2008-01-18 16:30
d
w- c:\documents and settings\All Users\Application Data\SITEguard
2009-12-07 18:14 . 2008-08-31 18:07
d
w- c:\program files\DevalVR
2009-12-02 16:44 . 2008-03-09 11:43
d
w- c:\program files\Common Files\Apple
2009-10-29 05:48 . 2004-08-03 22:56 662016
w- c:\windows\system32\wininet.dll
2009-10-27 10:08 . 2009-10-27 10:08 545424 ----a-r- c:\windows\system32\SZComp5.dll
2009-10-27 10:08 . 2009-10-27 10:08 402064 ----a-r- c:\windows\system32\SZBase5.dll
2009-10-27 09:59 . 2009-10-27 09:59 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-10-21 06:00 . 2004-08-03 22:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-03 22:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-03 21:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 13:40 . 2009-10-20 13:40 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-10-20 13:40 . 2009-10-20 13:40 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-10-20 13:38 . 2009-10-20 13:38 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-10-20 13:37 . 2009-10-20 13:37 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-10-20 13:37 . 2009-10-20 13:37 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-10-20 13:35 . 2009-10-20 13:35 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-10-20 13:35 . 2009-10-20 13:35 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-10-20 13:35 . 2009-10-20 13:35 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-10-20 13:31 . 2009-10-20 13:31 729088 ----a-r- c:\windows\system32\IS3Base5.dll
2009-10-13 10:53 . 2004-08-03 22:56 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-03 22:56 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-03 22:56 112128 ----a-w- c:\windows\system32\rastls.dll
2008-02-22 09:50 . 2008-12-21 11:26 262144 ----a-w- c:\program files\Uninstall Spy Blocker.dll
.
((((((((((((((((((((((((((((( [EMAIL="SnapShot@2009-12-20_15.14.46"]SnapShot@2009-12-20_15.14.46[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-30 09:54 . 2009-12-30 09:54 16384 c:\windows\temp\Perflib_Perfdata_8ac.dat
+ 2009-12-27 15:08 . 2009-12-27 18:44 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-16 17:02 . 2009-12-27 18:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-16 17:02 . 2009-12-20 14:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-16 17:02 . 2009-12-20 14:44 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-12-27 15:08 . 2009-12-27 18:44 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-03 20:24 . 2009-12-30 09:54 149280 c:\windows\system32\javaws.exe
+ 2008-04-03 20:24 . 2009-12-30 09:54 145184 c:\windows\system32\javaw.exe
+ 2008-04-03 20:24 . 2009-12-30 09:54 145184 c:\windows\system32\java.exe
+ 2009-12-30 09:54 . 2009-12-30 09:54 537600 c:\windows\Installer\daaa633.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2005-11-21 1581056]
"MagicRotation"="c:\program files\MagicRotation\MagicPvt.exe" [2008-01-18 1089536]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\murdo\Start Menu\Programs\Startup\
MailWasherPro.lnk - c:\program files\FireTrust\MailWasher Free\MailWasher.exe [2008-5-7 19451736]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2009-4-12 344064]
VinylMaster Pro Toolbar.lnk - c:\documents and settings\murdo\Application Data\Microsoft\Installer\{BA9030CF-606B-42F6-ACD5-BB95219EED68}\toolbar.exe [2008-1-17 496128]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/05/2009 13:13 61328]
R1 magicpvt;magicpvt;c:\windows\system32\drivers\magicpvt.sys [16/01/2008 17:49 9984]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/05/2009 13:13 61328]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder
2009-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-04-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 21:18]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.orange.co.uk/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {AF5592DE-8E44-4887-AC67-2D51733BB04E} = 193.36.79.101 193.36.79.100
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-31 14:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@DACL=(02 0000)
@=""
.
DLLs Loaded Under Running Processes
- - - - - - - > 'lsass.exe'(628)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
.
Completion time: 2009-12-31 14:14:19
ComboFix-quarantined-files.txt 2009-12-31 14:14
ComboFix2.txt 2009-12-21 21:58
ComboFix3.txt 2009-12-20 15:19
Pre-Run: 131,559,350,272 bytes free
Post-Run: 131,760,783,360 bytes free
- - End Of File - - F3B7E8614C2F37EC26B1E861FDCBAB82
It's time to remove ComboFix.
Go to to Start > Run
Type in box
combofix /uninstall
Note: the space between the X and the /u
Press Enter.
This command will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Even if you have no more queries, I would appreciate if you can reply once more to this thread so that I will be able to have this archived. Thanks.