Hi Rorschach112,
Many thanks for the quick response!
I've run the Combofix and appended the log below. When it initially started to run it came up with a message which read "Rootkit!! ComboFix has detected the presence of rootkit activity and needs to reboot the machine"
It all seemed to run ok after the reboot
Appended is the C:\ComboFix.txt log:
ComboFix 09-11-19.05 - Owner 19/11/2009 23:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.483 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Common Files\Companion Wizard
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\system32\stera.log
c:\windows\system32\wbem\proquota.exe
----- BITS: Possible infected sites -----
hxxp://opt3.biz
Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_FOPN
((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.
2009-11-19 23:29 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-18 21:35 . 2009-11-18 21:36 -------- d-----w- c:\program files\ERUNT
2009-11-18 21:25 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe
2009-11-09 00:02 . 2009-11-09 00:02 -------- d-----w- c:\documents and settings\user1\Application Data\Malwarebytes
2009-11-08 23:57 . 2009-11-08 22:56 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-08 22:57 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-08 22:55 . 2009-11-08 22:55 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-08 22:35 . 2009-11-08 22:35 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-08 22:35 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-08 22:32 . 2009-11-08 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-08 22:32 . 2009-11-08 22:32 -------- d-----w- c:\program files\Lavasoft
2009-11-07 21:00 . 2009-11-07 21:00 -------- d-----w- c:\program files\CCleaner
2009-11-06 23:59 . 2009-11-06 23:59 -------- d-----w- c:\documents and settings\Administrator.DELL\Local Settings\Application Data\Mozilla
2009-11-06 23:58 . 2009-11-06 23:58 35064 ----a-w- c:\documents and settings\Administrator.DELL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-06 23:55 . 2009-11-06 23:55 117760 ----a-w- c:\documents and settings\Administrator.DELL\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-06 23:55 . 2009-11-06 23:55 -------- d-----w- c:\documents and settings\Administrator.DELL\Application Data\SUPERAntiSpyware.com
2009-11-06 22:54 . 2009-11-06 22:54 -------- d-----w- c:\documents and settings\Administrator.DELL\Application Data\Malwarebytes
2009-11-06 22:49 . 2009-11-16 22:01 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-06 22:48 . 2009-11-06 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-06 22:48 . 2009-11-06 22:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-06 22:48 . 2009-11-06 22:48 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-11-06 22:47 . 2009-11-06 22:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-06 22:45 . 2009-11-06 22:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-06 22:45 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 22:45 . 2009-11-06 22:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 22:45 . 2009-11-06 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-06 22:45 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 01:53 . 2009-11-05 01:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth
2009-11-05 00:36 . 2009-09-23 16:37 34112 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-05 00:36 . 2009-09-23 16:37 32448 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-05 00:36 . 2009-09-23 16:37 330072 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe.exe
2009-11-05 00:36 . 2009-09-23 16:37 51168 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlus_Helper.dll
2009-11-05 00:36 . 2009-09-23 16:37 22352 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-10-30 01:04 . 2009-10-30 01:04 -------- d-----w- C:\175ab6c6496184de98bc5fabcf486801
2009-10-30 00:59 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-30 00:59 . 2009-08-06 19:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-10-28 21:30 . 2009-10-28 21:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-10-26 23:09 . 2009-10-26 23:15 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-25 14:18 . 2009-10-25 14:18 -------- d-----w- c:\windows\system32\LogFiles
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 23:37 . 2008-03-24 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-11-19 23:34 . 2008-09-26 20:32 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-11-11 01:09 . 2006-09-23 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-08 23:50 . 2006-04-03 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-08 22:52 . 2006-04-03 21:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-02 20:42 . 2009-10-02 20:34 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 17:44 . 2008-08-27 21:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-28 21:27 . 2008-05-19 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-28 01:12 . 2006-03-26 15:06 35064 ----a-w- c:\documents and settings\user1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-27 21:58 . 2005-12-17 21:49 35064 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 13:30 . 2008-09-26 20:35 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-10-14 20:08 . 2008-03-24 21:42 -------- d-----w- c:\program files\Kontiki
2009-09-25 05:37 . 2005-06-17 22:49 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2006-05-06 16:42 . 2006-10-25 12:31 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
.
------- Sigcheck -------
[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll
c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-12 443968]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-12 2000112]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 136600]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Motive SmartBridge"="c:\progra~1\BLUEYO~1\SMARTB~1\MotiveSB.exe" [2006-04-21 438359]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
blueyonder Instant Support Tool.lnk - c:\program files\blueyonder IST\bin\blueyonder-istconfig.exe [2008-8-13 217088]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\msbsyn32.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 15:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera\0lsdelete
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/11/2009 22:57 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 11:17 1179232]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 17:19 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
.
Contents of the 'Scheduled Tasks' folder
2009-11-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:56]
2009-06-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
2009-11-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.altavista.com/
mStart Page = hxxp://www.altavista.com/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
Trusted Zone: boxesandbubbles.co.uk\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6mrxbm9r.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.altavista.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-RunServices-Window Monitor - winmon32.exe
HKU-Default-Run-OEM32 Tools - sres32.exe
HKU-Default-Run-Window Monitor - winmon32.exe
HKU-Default-RunServices-Window Monitor - winmon32.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-11-19 23:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(3016)
c:\progra~1\BLUEYO~1\SMARTB~1\SBHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\blueyonder IST\bin\blueyonder-istupdate.exe
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\blueyonder IST\bin\mpbtn.exe
c:\progra~1\Motive\ASSTCO~1\MOTIVE~1.EXE
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-11-19 23:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-19 23:41
Pre-Run: 109,490,790,400 bytes free
Post-Run: 109,365,837,824 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - D97E6820DA570224B9150EE0020A9F49
Thanks / Paul