Hi Deltalima,
Just got in and ran the program and this is the log, Q- Word still showing in the Google search bar. thanks,
sara
ComboFix 10-12-21.01 - User 21/12/2010 19:34:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2476 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\hijack this\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\User\Application Data\EurekaLog
c:\documents and settings\User\Application Data\EurekaLog\EurekaLog.ini
c:\windows\system32\msconfig.exe
.
((((((((((((((((((((((((( Files Created from 2010-11-21 to 2010-12-21 )))))))))))))))))))))))))))))))
.
2010-12-18 22:46 . 2010-12-18 22:46 -------- d-----w- c:\program files\Strategy First
2010-12-18 22:38 . 2010-12-18 22:38 -------- d-----w- c:\program files\iPod
2010-12-18 22:38 . 2010-12-18 22:39 -------- d-----w- c:\program files\iTunes
2010-12-11 22:28 . 2010-12-11 22:28 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-11 22:28 . 2010-12-11 22:28 -------- d-----w- c:\program files\Trend Micro
2010-12-11 20:17 . 2010-12-11 20:17 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-12-11 20:17 . 2010-12-11 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-11 20:17 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-11 20:17 . 2010-12-11 20:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-11 20:17 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-11 18:48 . 2010-12-03 09:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-11 18:34 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-12-11 18:34 . 2010-12-11 18:34 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-11 18:04 . 2010-12-11 18:04 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Sunbelt Software
2010-12-11 18:00 . 2010-12-11 18:00 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-11 16:32 . 2010-12-11 16:32 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-11 16:31 . 2010-12-11 16:31 -------- d-----w- c:\program files\ProtectDisc Driver Installer
2010-12-11 16:31 . 2010-12-11 16:31 -------- d-----w- c:\program files\CAPCOM
2010-12-06 13:18 . 2010-12-11 16:31 -------- dc----w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-12-06 13:17 . 2010-12-06 13:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-12-06 13:17 . 2010-12-06 13:17 -------- d-----w- c:\program files\Lavasoft
2010-12-02 11:39 . 2010-12-11 16:31 -------- d-----w- c:\program files\ffdshow
2010-12-02 11:36 . 2010-12-02 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Optimizer Pro
2010-12-02 11:35 . 2010-12-02 11:35 -------- d-----w- c:\program files\W3i
2010-12-02 11:35 . 2010-12-02 11:35 -------- d-----w- c:\documents and settings\All Users\Application Data\W3i
2010-12-02 11:33 . 2010-12-02 11:33 -------- d-----w- c:\documents and settings\User\Application Data\Yahoo!
2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-27 23:03 . 2010-11-27 23:03 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2010-11-27 23:03 . 2010-11-27 23:03 -------- d-----w- c:\program files\Common Files\xing shared
2010-11-27 23:01 . 2010-11-27 23:01 151776 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2010-11-27 23:01 . 2010-11-27 23:01 100352 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2010-11-27 21:35 . 2010-11-27 21:35 -------- d-----w- c:\program files\Common Files\eSellerate
2010-11-27 21:35 . 2010-12-11 21:59 -------- d-----w- c:\program files\2C09381C82B740BFAB17C805414BE85D
2010-11-25 21:19 . 2010-12-21 19:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2010-04-13 15:59 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 18:53 . 2010-09-27 12:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 16:34 . 2010-09-27 12:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 00:26 . 2008-04-14 05:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:26 . 2008-04-14 05:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-04-14 05:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-03 12:25 . 2008-04-14 00:07 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-14 00:27 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-04-14 05:39 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-04-14 01:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-09-29 18:06 . 2010-09-29 18:03 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
.
------- Sigcheck -------
[-] 2010-04-13 . F49C5C12A14F20A45F61977CF384B7FC . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"Steam"="c:\program files\Steam\Steam.exe" [2010-11-17 1242448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 20480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-11-27 274608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-18 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-18 51984]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CAPCOM\\Dark Void Demo\\Launcher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\mafia ii - public demo\\launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/12/2010 18:34 64288]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [06/12/2005 15:11 35328]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [09/06/2010 16:43 11352]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [24/02/2010 10:22 185472]
R2 Vcs;Vcs support;c:\windows\system32\drivers\Vcs.sys [20/09/2010 15:28 6852]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 13:42 32856]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [13/04/2010 16:10 272128]
R3 UsbFltr;Razer Copperhead Driver;c:\windows\system32\drivers\copperhd.sys [02/11/2005 09:54 11596]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [17/09/2010 20:35 17792]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/12/2010 09:05 1389400]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 18:39 19472]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [03/12/2010 09:05 15264]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [01/07/2010 13:21 34896]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [06/05/2008 15:06 11520]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - HELPSVC
.
Contents of the 'Scheduled Tasks' folder
2010-12-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]
2010-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
2010-12-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-527237240-1614895754-1801674531-1001.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
2010-12-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-527237240-1614895754-1801674531-1001.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
2010-12-21 c:\windows\Tasks\User_Feed_Synchronization-{3866EC9F-E3F4-48A5-8B98-F29D52B3E338}.job
- c:\windows\system32\msfeedssync.exe [2010-04-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.co.uk/uInternet Settings,ProxyOverride = *.local
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\uh1w18zb.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.co.uk/FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor:
linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: TextAloud Firefox Plugin: {99a0337c-6303-4879-b72e-500fd9aaca8c} - c:\program files\Mozilla Firefox\extensions\{99a0337c-6303-4879-b72e-500fd9aaca8c}
FF - Ext: Java Quick Starter:
jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Accelerator Plus (DAP) extension: {F17C1572-C9EC-4e5c-A542-D05CBB5C5A08} - c:\program files\DAP\DAPFireFox
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-12-21 19:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.netWindows 5.1.2600
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync03.sys atapi.sys pciide.sys
c:\windows\system32\drivers\sfsync03.sys Protection Technology StarForce Protection System
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A9FAAB8]
3 CLASSPNP[0xB8118FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000074[0x8AA66F18]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP2T0L0-e[0x8AA07D98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user != kernel MBR !!!
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-527237240-1614895754-1801674531-1001\Software\SecuROM\License information*]
"datasecu"=hex:71,a0,57,93,41,a1,fe,63,e0,69,39,bc,73,80,dd,a6,63,30,ee,45,ec,
61,6a,65,e7,3f,97,cc,89,b6,75,fa,de,ba,95,8d,7f,05,f8,c2,72,13,72,1d,1c,08,\
"rkeysecu"=hex:fc,4a,2d,4e,01,56,f9,5d,b9,be,51,e6,ac,7b,9b,c4
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3428)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-12-21 19:43:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-21 19:43
Pre-Run: 204,955,435,008 bytes free
Post-Run: 205,011,288,064 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT
- - End Of File - - 1AAD39D25385C4437FD111B62463C4CE