Hello
Firstly thanks for helping me with this!
I ran the scans (see logs below) and all sorts of things have happened. Right now my keyboard (msi wind netbook) is dead so I have e-mailed myself this from my phone to cut n paste here...
Chris
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb2.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\16\6d83d510-4006cb0e a variant of Win32/Kryptik.ZOF trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\40\7129ce28-5cafcf7e a variant of Java/Exploit.CVE-2011-3544.AF trojan
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8L2VCPQV\mazezu5.net[1] HTML/Iframe.B.Gen virus
C:\WINDOWS\system32\drivers\i8042prt.sys a variant of Win32/Rootkit.Kryptik.IF trojan
Operating memory multiple threats
ComboFix 12-01-27.01 - Chris 27/01/2012 22:14:43.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.610 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Chris\GoToAssistDownloadHelper.exe
c:\documents and settings\Chris\WINDOWS
c:\windows\$NtUninstallKB24531$
c:\windows\$NtUninstallKB24531$\205541420
c:\windows\$NtUninstallKB24531$\3857431096\@
c:\windows\$NtUninstallKB24531$\3857431096\bckfg.tmp
c:\windows\$NtUninstallKB24531$\3857431096\cfg.ini
c:\windows\$NtUninstallKB24531$\3857431096\Desktop.ini
c:\windows\$NtUninstallKB24531$\3857431096\keywords
c:\windows\$NtUninstallKB24531$\3857431096\kwrd.dll
c:\windows\$NtUninstallKB24531$\3857431096\L\urapuonr
c:\windows\$NtUninstallKB24531$\3857431096\oemid
c:\windows\$NtUninstallKB24531$\3857431096\U\00000001.@
c:\windows\$NtUninstallKB24531$\3857431096\U\00000002.@
c:\windows\$NtUninstallKB24531$\3857431096\U\00000004.@
c:\windows\$NtUninstallKB24531$\3857431096\U\80000000.@
c:\windows\$NtUninstallKB24531$\3857431096\U\80000004.@
c:\windows\$NtUninstallKB24531$\3857431096\U\80000032.@
c:\windows\$NtUninstallKB24531$\3857431096\version
c:\windows\Fonts\._QUEEN_Mary.TTF
c:\windows\system32\prsgrc.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-27 22:28 . 2012-01-27 22:28 -------- d-----w- c:\windows\LastGood
2012-01-27 22:14 . 2012-01-27 22:14 0 ----a-w- c:\windows\system32\drivers\SET4.tmp
2012-01-27 21:38 . 2012-01-27 21:38 -------- d-----w- c:\documents and settings\Chris\Application Data\Avira
2012-01-27 21:37 . 2011-09-18 08:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-01-27 21:37 . 2011-09-15 23:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-01-27 21:37 . 2011-09-15 23:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-01-27 21:37 . 2012-01-27 21:37 -------- d-----w- c:\program files\Avira
2012-01-27 21:37 . 2012-01-27 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-01-27 17:43 . 2012-01-27 17:43 -------- d-----w- c:\program files\ESET
2012-01-27 11:56 . 2012-01-27 12:10 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-27 11:56 . 2012-01-27 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-01-27 11:00 . 2012-01-27 11:00 -------- d-----w- c:\documents and settings\Chris\Application Data\McAfee
2012-01-27 10:59 . 2012-01-27 10:59 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2012-01-27 10:59 . 2012-01-27 10:59 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
2012-01-27 10:58 . 2012-01-27 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-01-27 10:58 . 2012-01-27 12:24 -------- d-----w- c:\program files\McAfee
2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WRData
2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\Chris\Application Data\IObit
2012-01-26 12:04 . 2012-01-26 12:04 109072 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2012-01-25 23:49 . 2012-01-25 23:49 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
2012-01-25 23:29 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-25 23:02 . 2012-01-25 23:02 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-01-23 12:18 . 2012-01-23 12:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-01-23 11:47 . 2009-09-27 09:39 369152 ----a-w- c:\windows\system32\avisynth.dll
2012-01-23 11:47 . 2005-07-14 12:31 32256 ----a-w- c:\windows\system32\AVSredirect.dll
2012-01-23 11:47 . 2004-02-22 10:11 719872 ----a-w- c:\windows\system32\devil.dll
2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll
2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
2012-01-23 11:47 . 2012-01-23 11:47 -------- d-----w- c:\program files\AviSynth 2.5
2012-01-17 12:15 . 2012-01-23 11:27 -------- d-----w- c:\documents and settings\Chris\.elan_data
2012-01-17 12:12 . 2012-01-17 12:14 -------- d-----w- c:\program files\ELAN 4.1.2
2012-01-16 11:58 . 2012-01-16 11:59 -------- d-----w- c:\documents and settings\Chris\Application Data\UAMCTAppData
2012-01-10 11:29 . 2012-01-10 11:30 -------- d-----w- c:\program files\Weka-3-6
2012-01-10 11:04 . 2012-01-10 11:06 -------- d-----w- c:\program files\jEdit
2012-01-03 13:13 . 2012-01-03 13:13 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Identities
2012-01-03 12:36 . 2012-01-03 12:45 -------- d-----w- C:\Perl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-08 15:35 . 2011-05-26 10:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2008-06-11 01:46 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-06-11 01:46 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-06-11 01:46 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-06-11 01:46 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-06-11 01:46 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-03 15:28 . 2008-06-11 01:46 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2008-06-11 01:46 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2008-06-11 01:46 1288704 ----a-w- c:\windows\system32\ole32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-06-10 782336]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Martin\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SPSS16\\spss.com"=
"c:\\Program Files\\SPSS16\\spss.exe"=
"c:\\Program Files\\SPSS16\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\PuTTy\\putty.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [26/01/2012 12:04 109072]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [27/01/2012 21:37 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27/01/2012 21:37 86224]
R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [11/06/2008 23:19 159744]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [11/06/2008 23:18 156160]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\Drivers\L6TPortB.sys --> c:\windows\system32\Drivers\L6TPortB.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{ABD78E04-874A-41B5-B6AF-2878FA0BB260}: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\rig7qma3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/|
https://login.live.com/login.srf?wa...0&lc=2057&id=64855&mkt=en-gb&cbcxt=mai&snsc=1
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - localhost
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-klmdb.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2012-01-27 22:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2332106328-2196180437-3818924662-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1140)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\rundll32.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2012-01-27 22:36:16 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-27 22:36
.
Pre-Run: 13,914,992,640 bytes free
Post-Run: 14,337,220,608 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - A093821ED793551E9DA91AA9AAACAA04