Hi,
I have carried out your instructions although at first I inadvertently ran Combofix from a memory stick. However, I have the resultant log called combofix1.txt. I assume this will be the relevant log, but I also ran combofix from the desktop (after the first run) and have inserted the results log called combofix2.txt.
I tested the browser after running combofix but was immediately redirected to googleadservices.com.
combofix1.txt:-
ComboFix 10-09-16.04 - Karen 17/09/2010 11:15:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.959.552 [GMT 1:00]
Running from: e:\hijackthis\bleep\ComboFix.exe
AV: F-Secure Internet Security 2010 10.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2010 10.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Thumbs.db
c:\windows\system32\install.exe
c:\windows\system32\system.dat
.
((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))
.
2010-09-08 09:46 . 2010-09-08 09:46 -------- d-----w- c:\program files\Alwil Software
2010-09-08 09:46 . 2010-09-08 09:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-07 20:13 . 2010-09-07 20:13 -------- d-----w- c:\windows\system32\Iosubsys
2010-09-07 20:13 . 2010-09-07 20:13 -------- d-----w- c:\windows\Options
2010-09-07 20:13 . 2001-08-17 11:11 20160 -c--a-w- c:\windows\system32\dllcache\adm8511.sys
2010-09-07 20:13 . 2001-08-17 11:11 20160 ----a-w- c:\windows\system32\drivers\ADM8511.SYS
2010-09-07 20:13 . 2010-09-07 20:13 -------- d-----w- c:\windows\system32\BELKIN
2010-09-07 13:13 . 2010-09-07 13:13 -------- d-----w- c:\program files\CCleaner
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-09 09:13 . 2009-12-26 22:01 -------- d-----w- c:\documents and settings\Karen\Application Data\Skype
2010-09-07 14:45 . 2005-11-22 11:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-07 14:37 . 2005-11-22 11:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-07 10:16 . 2009-12-12 09:04 -------- d-----w- c:\program files\Vuze
2010-09-07 09:46 . 2009-12-12 09:06 -------- d-----w- c:\documents and settings\Karen\Application Data\Azureus
2010-09-05 14:37 . 2008-09-09 15:51 -------- d-----w- c:\documents and settings\Karen\Application Data\eBay
2010-09-05 14:37 . 2008-09-09 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\eBay
2010-09-05 14:37 . 2008-09-09 15:50 -------- d-----w- c:\program files\eBay
2010-09-05 14:37 . 2004-03-02 10:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-31 10:59 . 2010-04-01 14:33 41624 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-08-17 13:17 . 2009-08-14 11:01 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 11:50 . 2010-07-21 11:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 15:49 . 2009-08-14 11:01 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 06:27 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-21 11:34 . 2006-08-21 13:46 -------- d-----w- c:\documents and settings\Karen\Application Data\U3
2010-07-21 11:33 . 2010-07-21 11:33 -------- d-----w- c:\documents and settings\Karen\Application Data\Malwarebytes
2010-07-21 11:33 . 2010-07-21 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-21 10:16 . 2010-07-21 10:16 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-06-30 12:31 . 2009-08-14 11:01 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2004-02-06 17:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2009-08-03 07:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2009-08-14 11:01 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2009-08-14 11:01 354304 ----a-w- c:\windows\system32\drivers\srv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]
@="{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}"
[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]
2007-12-02 16:05 348160 ----a-w- c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]
@="{8A814C29-D3CD-4F9E-9770-DF8704503ACA}"
[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]
2007-12-02 16:05 348160 ----a-w- c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX3600 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [2004-03-04 98304]
"EPSON Stylus CX3600 Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [2004-03-04 98304]
"RAMpage"="c:\program files\RAMpage\RAMpage.exe" [2001-01-06 10784]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"EPSON Stylus CX3600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [2004-03-04 98304]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-10-25 988565]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-10-25 118784]
"Auto EPSON Stylus CX3600 Series on PORTAKABIN"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [2004-03-04 98304]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"RegTool"="c:\program files\Gemplus\GemSafe Libraries\BIN\RegTool.exe" [2005-06-08 40960]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2009-07-09 199264]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2009-07-09 2349664]
"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Venturi 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Venturi 2.lnk
backup=c:\windows\pss\Venturi 2.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-01-22 21:19 52840 ----a-w- c:\program files\Common Files\Symantec Shared\CCAPP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gemstrmw]
2004-09-15 15:28 24576 ------w- c:\windows\system32\gemstrmw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-01-03 11:41 1385472 ------w- c:\program files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-10-25 18:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 13:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2]
2004-01-05 17:34 40960 -c--a-w- c:\windows\vsnpstd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [01/04/2010 15:33 41624]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [01/04/2010 15:33 80000]
R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [17/04/2006 12:43 19478]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [01/04/2010 15:32 68064]
R1 FolderProtectDriver;FolderProtectDriver;c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [02/09/2008 12:09 15616]
R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [17/04/2006 12:43 635012]
R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [17/04/2006 12:43 431236]
R2 FolderProtectService;FolderProtectService;c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [02/09/2008 12:09 10240]
R2 GemSAFE Card Server;GemSAFE Card Server;c:\program files\Gemplus\GemSafe Libraries\BIN\GCardSrvNT.exe [20/01/2006 19:15 118784]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [01/04/2010 15:32 124072]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [01/04/2010 15:32 58024]
R3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [10/03/2008 09:50 61776]
S2 gupdate1c9edf4e90d3ab2;Google Update Service (gupdate1c9edf4e90d3ab2);c:\program files\Google\Update\GoogleUpdate.exe [15/06/2009 21:07 133104]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [07/09/2010 21:13 20160]
S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [29/11/2001 09:10 1432836]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [01/04/2010 15:32 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [01/04/2010 15:32 25184]
.
Contents of the 'Scheduled Tasks' folder
2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 20:05]
2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 20:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
Trusted Zone: barclays.co.uk\ibank1.bib
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-IS CfgWiz - c:\program files\Common Files\Symantec Shared\cfgwiz.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
MSConfigStartUp-URLLSTCK - c:\program files\Norton Internet Security\UrlLstCk.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-09-17 11:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(744)
c:\program files\Gemplus\GemSafe Libraries\BIN\GSafeCSP.dll
c:\program files\Gemplus\Common\Resources\LocHub.dll
c:\program files\Gemplus\GemSafe Libraries\BIN\GUICore.dll
c:\program files\Gemplus\GemSafe Libraries\BIN\GCLIB.DLL
c:\program files\Gemplus\GemSafe Libraries\BIN\pk2GemID.dll
c:\program files\Gemplus\GemSafe Libraries\BIN\pk2GPK16.dll
c:\program files\f-secure\hips\fshook32.dll
- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\relog_ap.dll
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\program files\f-secure\hips\fshook32.dll
- - - - - - - > 'explorer.exe'(1560)
c:\windows\system32\WININET.dll
c:\program files\f-secure\hips\fshook32.dll
c:\program files\F-Secure\Spam Control\fsscoepl.dll
c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure\Anti-Virus\FSGK32.EXE
c:\program files\F-Secure\Common\FSMA32.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\F-Secure\Common\FSHDLL32.EXE
c:\program files\Gemplus\GemSafe Libraries\BIN\GCardSrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\F-Secure\FWES\Program\fsdfwd.exe
c:\program files\F-Secure\Anti-Virus\fssm32.exe
c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
c:\program files\F-Secure\Anti-Virus\fsav32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-17 11:43:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-17 10:43
Pre-Run: 4,227,264,512 bytes free
Post-Run: 5,808,365,568 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 16E2F1CC0F8AAEAC6FBDAC1871FFA3A3
combofix2.txt:-
ComboFix 10-09-16.04 - Karen 17/09/2010 11:47:38.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.959.437 [GMT 1:00]
Running from: c:\documents and settings\Karen\Desktop\ComboFix.exe
AV: F-Secure Internet Security 2010 10.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2010 10.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))
.
2010-09-08 09:46 . 2010-09-08 09:46 -------- d-----w- c:\program files\Alwil Software
2010-09-08 09:46 . 2010-09-08 09:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-07 20:13 . 2010-09-07 20:13 -------- d-----w- c:\windows\system32\Iosubsys
2010-09-07 20:13 . 2010-09-07 20:13 -------- d-----w- c:\windows\Options
2010-09-07 20:13 . 2001-08-17 11:11 20160 -c--a-w- c:\windows\system32\dllcache\adm8511.sys
2010-09-07 20:13 . 2001-08-17 11:11 20160 ----a-w- c:\windows\system32\drivers\ADM8511.SYS
2010-09-07 20:13 . 2010-09-07 20:13 -------- d-----w- c:\windows\system32\BELKIN
2010-09-07 13:13 . 2010-09-07 13:13 -------- d-----w- c:\program files\CCleaner
2010-09-06 14:19 . 2010-09-06 14:19 8475584 ----a-w- c:\documents and settings\Karen\Application Data\Azureus\tmp\AZU4608621796992365193.tmp\Vuze_4.5.0.4_win32.exe
2010-09-05 15:19 . 2010-09-05 15:19 8475584 ----a-w- c:\documents and settings\Karen\Application Data\Azureus\tmp\AZU3507334338501094084.tmp\Vuze_4.5.0.4_win32.exe
2010-09-04 16:21 . 2010-09-04 16:21 8475584 ----a-w- c:\documents and settings\Karen\Application Data\Azureus\tmp\AZU7252680813868312105.tmp\Vuze_4.5.0.4_win32.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 10:43 . 2010-04-12 11:11 -------- d-----w- c:\documents and settings\Karen\Application Data\F-Secure
2010-09-09 09:13 . 2009-12-26 22:01 -------- d-----w- c:\documents and settings\Karen\Application Data\Skype
2010-09-07 14:45 . 2005-11-22 11:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-07 14:37 . 2005-11-22 11:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-07 10:16 . 2009-12-12 09:04 -------- d-----w- c:\program files\Vuze
2010-09-07 09:46 . 2009-12-12 09:06 -------- d-----w- c:\documents and settings\Karen\Application Data\Azureus
2010-09-05 14:37 . 2008-09-09 15:51 -------- d-----w- c:\documents and settings\Karen\Application Data\eBay
2010-09-05 14:37 . 2008-09-09 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\eBay
2010-09-05 14:37 . 2008-09-09 15:50 -------- d-----w- c:\program files\eBay
2010-09-05 14:37 . 2004-03-02 10:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-31 10:59 . 2010-04-01 14:33 41624 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-08-17 13:17 . 2009-08-14 11:01 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 11:50 . 2010-07-21 11:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 15:49 . 2009-08-14 11:01 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 06:27 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-21 11:34 . 2006-08-21 13:46 -------- d-----w- c:\documents and settings\Karen\Application Data\U3
2010-07-21 11:33 . 2010-07-21 11:33 -------- d-----w- c:\documents and settings\Karen\Application Data\Malwarebytes
2010-07-21 11:33 . 2010-07-21 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-21 10:16 . 2010-07-21 10:16 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-06-30 12:31 . 2009-08-14 11:01 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2004-02-06 17:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2009-08-03 07:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2009-08-14 11:01 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2009-08-14 11:01 354304 ----a-w- c:\windows\system32\drivers\srv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]
@="{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}"
[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]
2007-12-02 16:05 348160 ----a-w- c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]
@="{8A814C29-D3CD-4F9E-9770-DF8704503ACA}"
[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]
2007-12-02 16:05 348160 ----a-w- c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX3600 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [2004-03-04 98304]
"EPSON Stylus CX3600 Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [2004-03-04 98304]
"RAMpage"="c:\program files\RAMpage\RAMpage.exe" [2001-01-06 10784]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"EPSON Stylus CX3600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [2004-03-04 98304]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-10-25 988565]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-10-25 118784]
"Auto EPSON Stylus CX3600 Series on PORTAKABIN"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [2004-03-04 98304]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"RegTool"="c:\program files\Gemplus\GemSafe Libraries\BIN\RegTool.exe" [2005-06-08 40960]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2009-07-09 199264]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2009-07-09 2349664]
"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Venturi 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Venturi 2.lnk
backup=c:\windows\pss\Venturi 2.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-01-22 21:19 52840 ----a-w- c:\program files\Common Files\Symantec Shared\CCAPP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gemstrmw]
2004-09-15 15:28 24576 ------w- c:\windows\system32\gemstrmw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-01-03 11:41 1385472 ------w- c:\program files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-10-25 18:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 13:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2]
2004-01-05 17:34 40960 -c--a-w- c:\windows\vsnpstd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [01/04/2010 15:33 41624]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [01/04/2010 15:33 80000]
R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [17/04/2006 12:43 19478]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [01/04/2010 15:32 68064]
R1 FolderProtectDriver;FolderProtectDriver;c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [02/09/2008 12:09 15616]
R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [17/04/2006 12:43 635012]
R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [17/04/2006 12:43 431236]
R2 GemSAFE Card Server;GemSAFE Card Server;c:\program files\Gemplus\GemSafe Libraries\BIN\GCardSrvNT.exe [20/01/2006 19:15 118784]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [01/04/2010 15:32 124072]
R3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [10/03/2008 09:50 61776]
S2 FolderProtectService;FolderProtectService;c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [02/09/2008 12:09 10240]
S2 gupdate1c9edf4e90d3ab2;Google Update Service (gupdate1c9edf4e90d3ab2);c:\program files\Google\Update\GoogleUpdate.exe [15/06/2009 21:07 133104]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [07/09/2010 21:13 20160]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [01/04/2010 15:32 58024]
S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [29/11/2001 09:10 1432836]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [01/04/2010 15:32 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [01/04/2010 15:32 25184]
.
Contents of the 'Scheduled Tasks' folder
2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 20:05]
2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 20:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
Trusted Zone: barclays.co.uk\ibank1.bib
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-09-17 11:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(744)
c:\program files\Gemplus\GemSafe Libraries\BIN\GSafeCSP.dll
c:\program files\Gemplus\Common\Resources\LocHub.dll
c:\program files\Gemplus\GemSafe Libraries\BIN\GUICore.dll
c:\program files\Gemplus\GemSafe Libraries\BIN\GCLIB.DLL
c:\program files\Gemplus\GemSafe Libraries\BIN\pk2GemID.dll
c:\program files\Gemplus\GemSafe Libraries\BIN\pk2GPK16.dll
c:\program files\f-secure\hips\fshook32.dll
- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\relog_ap.dll
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\program files\f-secure\hips\fshook32.dll
- - - - - - - > 'explorer.exe'(1760)
c:\windows\system32\WININET.dll
c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\F-Secure\Common\fpshx.dll
c:\program files\F-Secure\Common\FSMA32.dll
c:\program files\F-Secure\Common\FSPMAPI.dll
c:\program files\F-Secure\Common\fslapi.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
.
Completion time: 2010-09-17 11:58:38
ComboFix-quarantined-files.txt 2010-09-17 10:58
ComboFix2.txt 2010-09-17 10:43
Pre-Run: 5,813,817,344 bytes free
Post-Run: 5,795,659,776 bytes free
- - End Of File - - 31AB34C003F27B6C688B55AC46CA757A
Regards