View Full Version : Awash with malware
Hope you can assist
Norton Internet Security virus scan option had dissappeared.
Clicking the fix button did nothing.
This is a valid copy.
Symantec has been less than helpful.
So..
Ran Spybot in normal mode and nothing came up.
Ran Spybot in safemode and found the following:
1 stration.c
5 hupigon13
1 hellzlittlespy
1 win32.agent.pz
2 win32.agent.ys
43 smitfraud-c.
1 coolwwwsearch.hjg
2 winagent.qlo
1 win32,brontok
1 win32.nosok.b
2 win32.autorun.homevideo
clicked fix and poof, I lost windows XP. Could not recover/restore, had to reinstall
Reinstalled norton internet security, Virus scan reappeared
Ran it and found no issues either in normal or safe mode
Now, I can't scan for viruses, option has disappeared again
Ran spybot and found the above again ( only found in safe mode)
Backed up Registry in Spybot.
So I am at the part where I push "Fix" and am very reluctant to do so as I don't know which of the little nasties caused this
Assistance would be appreciated
pskelley
2009-02-26, 13:28
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
For your benefit, the instructions are pinned (sticky) to the top of the Malware Removal forum, please read and be sure you have followed those instructions. I have also posted the "Before you Post" instructions at the top of this thread.
Not sure if I can help or not but Matt posted a link to the instructions for you here: http://forums.spybot.info/showthread.php?t=46083
I posted it again above, we will not find out if I can help until you follow the directions then post a HJT log.
Thanks
Thanks for the reply.
1) computer in normal mode
2) system restore is enabled
3) teatimer is off
4) system registry is backed up
5) word wrap is off
copy of log as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:25 PM, on 2/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Michael.MJD-KLI8V24JPWT\Desktop\HiJackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\Michael.MJD-KLI8V24JPWT\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Michael.MJD-KLI8V24JPWT\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/UPREBOOT /temp /patched"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 4671 bytes
Thanks for looking into this
pskelley
2009-02-27, 13:30
C:\Documents and Settings\Michael.MJD-KLI8V24JPWT\Desktop\HiJackThis.exe <<< directions were not followed, read them again and install HJT safely as instructed:
By default it will install to C:\Program Files\Trend Micro\HijackThis
Please do not proceed until that is done.
Nothing showing in the HJT log, we will have combofix take the first look.
1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from here:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks
Well try as I might, following all links. Could not disable Norton Internet Security, All options were missing except for phishing protection.
So here are the logs anyway.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:16 AM, on 2/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 5034 bytes
ComboFix 09-02-26.02 - Michael 2009-02-27 23:56:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.220 [GMT -8:00]
Running from: c:\documents and settings\Michael.MJD-KLI8V24JPWT\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\rmoc3260.dll
.
((((((((((((((((((((((((( Files Created from 2009-01-28 to 2009-02-28 )))))))))))))))))))))))))))))))
.
2009-02-27 23:31 . 2009-02-27 23:31 <DIR> d-------- c:\program files\Trend Micro
2009-02-26 12:00 . 2009-02-26 11:53 1,211 --a------ C:\remove-spybotsd-settings.reg
2009-02-25 12:45 . 2009-02-25 12:46 <DIR> d-------- c:\program files\ERUNT
2009-02-22 12:09 . 2009-02-22 13:28 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-02-22 01:22 . 2009-02-22 02:17 <DIR> d-------- c:\documents and settings\Administrator.MJD-KLI8V24JPWT\Application Data\Spybot - Search & Destroy
2009-02-21 18:22 . 2009-02-21 18:22 <DIR> d-------- c:\documents and settings\Daniel.MJD-KLI8V24JPWT\Application Data\AdobeUM
2009-02-21 18:17 . 2009-02-21 18:17 <DIR> d-------- c:\documents and settings\Daniel.MJD-KLI8V24JPWT\Application Data\Symantec
2009-02-18 03:10 . 2008-09-15 03:57 1,846,016 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-02-18 03:05 . 2008-12-12 09:33 3,060,224 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-02-18 03:03 . 2008-08-14 02:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-18 03:03 . 2008-08-14 01:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-18 03:03 . 2008-08-14 01:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-18 03:03 . 2008-10-24 03:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-18 03:03 . 2008-12-11 03:57 333,184 -----c--- c:\windows\system32\dllcache\srv.sys
2009-02-18 03:03 . 2008-10-15 08:57 332,800 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-02-18 03:02 . 2008-08-14 01:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-18 03:00 . 2009-02-25 15:25 <DIR> d--h----- c:\windows\$hf_mig$
2009-02-17 22:52 . 2009-02-17 22:52 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-02-17 22:52 . 2009-02-17 22:52 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-02-17 22:52 . 2009-02-17 22:52 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-02-17 22:50 . 2009-02-17 23:03 <DIR> d-------- c:\documents and settings\Michael.MJD-KLI8V24JPWT\Application Data\Spybot - Search & Destroy
2009-02-17 22:47 . 2009-02-27 15:00 <DIR> d-------- c:\program files\Norton Security Scan
2009-02-17 20:48 . 2009-02-17 20:48 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-02-17 20:47 . 2008-05-06 21:18 1,287,680 -----c--- c:\windows\system32\dllcache\quartz.dll
2009-02-17 20:47 . 2008-06-13 05:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-02-17 20:47 . 2008-07-07 12:32 253,952 -----c--- c:\windows\system32\dllcache\es.dll
2009-02-17 20:45 . 2008-05-01 06:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-02-17 20:44 . 2008-04-11 10:50 683,520 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-02-17 20:43 . 2008-09-04 08:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-02-17 20:43 . 2008-10-03 02:15 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2009-02-15 15:23 . 2009-02-15 15:23 <DIR> d-------- c:\documents and settings\Administrator.MJD-KLI8V24JPWT
2009-02-15 13:10 . 2009-02-15 14:12 <DIR> d-------- c:\program files\Symantec
2009-02-15 13:10 . 2009-02-26 13:13 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2009-02-15 13:10 . 2009-02-15 14:12 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-15 13:10 . 2009-02-15 14:12 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-02-15 13:01 . 2009-02-15 14:12 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-15 13:01 . 2009-02-15 14:12 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-02-15 12:31 . 2009-02-15 13:17 <DIR> d-------- c:\documents and settings\Michael.MJD-KLI8V24JPWT\Application Data\Symantec
2009-02-15 11:51 . 2009-02-15 11:51 <DIR> d-------- c:\documents and settings\Daniel.MJD-KLI8V24JPWT
2009-02-15 11:32 . 2009-02-15 11:32 376 --a------ c:\windows\ODBC.INI
2009-02-15 11:30 . 2009-02-15 11:31 <DIR> d-------- c:\windows\ShellNew
2009-02-14 12:42 . 2009-02-14 12:42 <DIR> d---s---- c:\documents and settings\Aaron\UserData
2009-02-14 12:40 . 2009-02-14 12:42 <DIR> d-------- c:\documents and settings\Aaron
2009-02-13 19:36 . 2009-02-13 19:36 24,576 --a------ c:\windows\system32\prefscpl.cpl
2009-02-13 19:36 . 2009-02-13 19:36 8,552 --a------ c:\windows\system32\drivers\asctrm.sys
2009-02-11 21:36 . 2003-04-02 11:23 65,536 --a------ c:\windows\wanmpsvc.exe
2009-02-11 21:20 . 2009-02-13 19:27 316,640 --a------ c:\windows\WMSysPr9.prx
2009-02-11 21:14 . 2004-08-04 00:56 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2009-02-11 21:14 . 2004-07-17 11:40 19,528 --a------ c:\windows\002345_.tmp
2009-02-11 21:13 . 2005-02-24 19:35 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-02-11 21:05 . 2009-02-11 21:05 <DIR> d---s---- c:\windows\system32\Microsoft
2009-02-04 22:00 . 2004-08-04 00:56 96,768 --a------ c:\windows\system32\dpcdll.dll
2009-02-04 21:58 . 2004-08-04 00:56 1,298,432 --a------ c:\windows\system32\dxdiag.exe
2009-02-04 21:55 . 2002-06-14 18:46 19,274 --a------ c:\windows\000001_.tmp
2009-02-02 21:24 . 2009-02-02 21:24 <DIR> d--hs---- c:\documents and settings\NetworkService.NT AUTHORITY.000
2009-02-02 21:24 . 2009-02-13 19:27 <DIR> d--hs---- c:\documents and settings\LocalService.NT AUTHORITY
2009-02-02 21:03 . 2009-02-02 21:03 8,192 --a------ c:\windows\REGLOCS.OLD
2009-02-02 21:01 . 2001-08-23 04:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2009-02-02 21:00 . 2001-08-23 04:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-02-02 18:27 . 2009-02-25 12:41 <DIR> d-------- c:\documents and settings\Michael.MJD-KLI8V24JPWT
2009-02-02 11:05 . 2009-02-02 18:26 <DIR> d--h----- c:\documents and settings\Default User.WINDOWS
2009-02-02 11:05 . 2009-02-02 20:57 <DIR> d-------- c:\documents and settings\All Users.WINDOWS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-28 08:02 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-26 20:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-26 06:35 --------- d-----w c:\program files\America Online 8.0
2009-02-18 07:09 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-15 22:05 --------- d-----w c:\program files\Norton Internet Security
2009-02-15 19:31 --------- d-----w c:\program files\Microsoft ActiveSync
2009-01-31 23:21 --------- d-----w c:\documents and settings\Daniel\Application Data\DNA
2009-01-31 23:14 --------- d-----w c:\program files\DNA
2009-01-30 15:51 --------- d-----w c:\documents and settings\Daniel\Application Data\uTorrent
2009-01-28 23:42 --------- d-----w c:\program files\Yahoo!
2009-01-27 02:55 --------- d-----w c:\documents and settings\Daniel\Application Data\FrostWire
2009-01-25 23:16 --------- d-----w c:\program files\FrostWire
2008-12-29 01:58 --------- d-----w c:\documents and settings\Daniel\Application Data\Apple Computer
2002-07-26 21:02 153,088 ----a-w c:\program files\UNWISE.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2009-02-13 26112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\America Online 8.0\\waol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2007-08-24 149352]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-05-29 23888]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
*Deregistered* - EraserUtilDrv10910
.
Contents of the 'Scheduled Tasks' folder
2009-02-18 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Michael.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 17:19]
2009-02-27 c:\windows\Tasks\Norton Security Scan for Michael.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -
HKLM-RunOnce-SymLnch - c:\documents and settings\Michael.MJD-KLI8V24JPWT\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.ca\www
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-28 00:01:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1957994488-492894223-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-02-28 0:04:22
ComboFix-quarantined-files.txt 2009-02-28 08:04:17
Pre-Run: 38,301,982,720 bytes free
Post-Run: 38,631,751,680 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
156 --- E O F --- 2009-02-26 11:00:46
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
AppCore
ccCommon
Component Framework
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Norton Security Scan
Norton Security Scan (Symantec Corporation)
RealPlayer Basic
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
SPBBC 32bit
SymNet
Update for Windows XP (KB898461)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB885884
Windows XP Service Pack 2
hope this helps.
pskelley
2009-02-28, 21:15
This can be done as time permits, but it is important, and may be why you got infected.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Flash Player 10 ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html
Adobe Reader 7.0Out of date, see this information:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php
Viewpoint Media Player <<< suggested uninstall:
For your information, Viewpoint is installed by aol probably without your knowledge.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
http://vil.nai.com/vil/content/v_137262.htm
Ran Spybot in safemode and found the following:
This all started with you telling me about what Spybot S&D found and I don't even see that program in Add Remove programs? Did you uninstall it for some reason? I have no way of knowing if that program was up to date or not. Please do not install it again until I ask you to, then only from the link I provide, with the instructions I provide.
Please follow these directions:
Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/
http://www.besttechie.net/mbam/mbam-setup.exe <<< download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
Thanks
I can't explain why Spybot is not in the add/remove programs. (I had an earlier version that was uninstalled v1.3 I think.)
Spybot is definitely on the system.
At any rate here is the log
Malwarebytes' Anti-Malware 1.34
Database version: 1813
Windows 5.1.2600 Service Pack 2
2/28/2009 8:51:45 PM
mbam-log-2009-02-28 (20-51-45).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 346020
Time elapsed: 3 hour(s), 58 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
pskelley
2009-03-01, 12:36
Spybot is definitely on the system.
I can see the program in the comofix log:
c:\program files\Spybot - Search & Destroy
Look at the uninstall list you posted, it is alphabetical and Spybot S&D does not show there. What I would like you to do is:
1) Open Spybot S&D, at the top click on Help then About. Post the version number, for instance mine is Spybot - Search & Destroy 1.6.0.30 and the lated detection update.
2) Start > Control Panel > Add Remove programs. When that loads, look alphabetically for Spybot- Search & Destroy and tell me if it is there.
Thanks
Morning
Version is 1.6.0.31
and no Spybot is not in Add/Remove Programs
sorry, latest update is 02/25/09
pskelley
2009-03-01, 16:33
I am concerned, since I see hundreds of HJT logs, I know Spybot should be showing in Add Remove programs. Often I find the new version and an old version that is causing the issues. What I would like you to do is install Spybot S&D again so it is in Add Remove programs (which means it will have an uninstaller if needed)Follow the directions in this link:
http://www.safer-networking.org/en/tutorial/index.html
Once you get it installed and see it in Add Remove programs, then follow the tutorial for running it.
Let me know then if anything is being located that Spybot S&D can not remove. If that should happen I would like to look at the log, produce that like this:
on the toolbar menu select mode and switch to advanced, on the left select tools, view report, make sure all the options are selected near the bottom except:
Uncheck[ ] do not report disabled or known legitimate Items,
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Now select near top-- view report, Press export, and save the log on your Desktop, post the saved log in your next reply.
If you have no issues at that point, I do not need to see that report.
Thanks
Here is the log, toolong for 1 post, i'll split it.
--- Search result list ---
Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start
DoubleClick: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-08-14 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2009-03-01 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-22 Includes\Adware.sbi (*)
2009-01-22 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-02-10 Includes\Hijackers.sbi (*)
2009-02-10 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2009-02-17 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-02-24 Includes\Malware.sbi (*)
2009-02-24 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-02-24 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-02-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-01-28 Includes\Spyware.sbi (*)
2009-01-28 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-02-24 Includes\Trojans.sbi (*)
2009-02-24 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB944338-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB954600)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Update for Windows XP (KB955839)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958215)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB958687)
/ Windows XP / SP4: Security Update for Windows XP (KB960714)
/ Windows XP / SP4: Security Update for Windows XP (KB960715)
/ Windows XP / SP4: Update for Windows XP (KB967715)
--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 392845E8D49B5F0E81AAC4D795000A8C
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 51048
MD5: B01902E9451B3D39DC5CAFDC9B9B398C
Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 290088
MD5: E6A4E341E4304B34AA280D3E73818C90
Located: HK_LM:Run, osCheck
command: "C:\Program Files\Norton Internet Security\osCheck.exe"
file: C:\Program Files\Norton Internet Security\osCheck.exe
size: 714608
MD5: 91535A86F6BD48BACCC3D58E6653456A
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 9C9B6807425CEF840C117654D8B033D1
Located: HK_LM:Run, RealTray
command: C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
file: C:\Program Files\Real\RealPlayer\RealPlay.exe
size: 26112
MD5: 849D97FE4CC09CFC2772D10F641E1BAF
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre6\bin\jusched.exe"
file: C:\Program Files\Java\jre6\bin\jusched.exe
size: 136600
MD5: B98FFA8288EFAABC436C30D198608345
Located: HK_CU:Run, AdobeUpdater
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-1007...
command: C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
file: C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
size: 2356088
MD5: 3C27703F6103A19F1EFD16BFE6D3A8C3
Located: HK_CU:Run, AOL Fast Start
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-1007...
command: "C:\Program Files\AOL 9.0a\AOL.EXE" -b
file: C:\Program Files\AOL 9.0a\AOL.EXE
size: 50736
MD5: 824B545F6D626CB6CC1ED0A9CE618BB7
Located: HK_CU:Run, BitTorrent DNA
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-1007...
command: "C:\Program Files\DNA\btdna.exe"
file: C:\Program Files\DNA\btdna.exe
size: 342848
MD5: D05EF65BDD18FCB8632236D4E58B818D
Located: HK_CU:Run, ctfmon.exe
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-1007...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
Located: HK_CU:Run, wekewfjo983mkefdd
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-1007...
command: C:\DOCUME~1\Daniel\LOCALS~1\Temp\winlogan.exe
file: C:\DOCUME~1\Daniel\LOCALS~1\Temp\winlogan.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
Located: HK_CU:RunOnce, SpybotDeletingB1062
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\fastprox.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\wbem\fastprox.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB114
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\Setup\setupqry.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\Setup\setupqry.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB122
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\AppEvent.Evt_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\AppEvent.Evt_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB1301
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\SysEvent.Evt_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\SysEvent.Evt_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB1715
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\wbemcore.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\wbem\wbemcore.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB186
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\wbemcomn.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\wbem\wbemcomn.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB2673
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP_tobedeleted"
file: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB2897
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\system.LOG_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\system.LOG_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB3217
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\esscli.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\wbem\esscli.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB4235
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\system_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\system_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB4460
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA_tobedeleted"
file: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB4832
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\software.LOG_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\software.LOG_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB4965
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP_tobedeleted"
file: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB4989
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\Internet.evt_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\Internet.evt_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB5544
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\default.LOG_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\default.LOG_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB5650
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER_tobedeleted"
file: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB5912
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\framedyn.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\wbem\framedyn.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB5924
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\dllcache\crtdll.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\dllcache\crtdll.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB6021
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\software_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\software_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB6425
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\ncprov.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\wbem\ncprov.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB7238
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR_tobedeleted"
file: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB7326
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\SECURITY_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\SECURITY_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB7446
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\drivers\sptd.sys_tobedeleted"
file: command /c del "C:\WINDOWS\system32\drivers\sptd.sys_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB7452
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\en-US\ieframe.dll.mui_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\en-US\ieframe.dll.mui_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB7592
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\SAM_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\SAM_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB774
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\SAM.LOG_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\SAM.LOG_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB7888
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\wmiprvsd.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\wbem\wmiprvsd.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB8057
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\wbemprox.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\wbem\wbemprox.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB8183
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\wbemess.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\wbem\wbemess.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB8326
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\wbemsvc.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\wbem\wbemsvc.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB8381
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\wmisvc.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\wbem\wmisvc.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB844
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\repdrvfs.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\wbem\repdrvfs.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB8479
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\en-US\urlmon.dll.mui_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\en-US\urlmon.dll.mui_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB8689
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\wmiutils.dll_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\wbem\wmiutils.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB9053
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\SecEvent.Evt_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\SecEvent.Evt_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB9347
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP_tobedeleted"
file: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB9547
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\drivers\dxg.sys_tobedeleted_old"
file: command /c del "C:\WINDOWS\system32\drivers\dxg.sys_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB9723
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP_tobedeleted"
file: command /c del "C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB9835
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\SECURITY.LOG_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\SECURITY.LOG_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingB9977
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: command /c del "C:\WINDOWS\system32\config\default_tobedeleted"
file: command /c del "C:\WINDOWS\system32\config\default_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD1240
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\AppEvent.Evt_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\AppEvent.Evt_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD1386
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\drivers\dxg.sys_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\drivers\dxg.sys_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD1520
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\SAM.LOG_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\SAM.LOG_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD1584
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\system_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\system_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD1770
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD2025
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\SecEvent.Evt_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\SecEvent.Evt_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD214
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\wbemcore.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\wbem\wbemcore.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD224
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\en-US\ieframe.dll.mui_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\en-US\ieframe.dll.mui_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD2293
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\wbemess.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\wbem\wbemess.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD2544
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\wmisvc.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\wbem\wmisvc.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD2571
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\dllcache\crtdll.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\dllcache\crtdll.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD2613
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\wbemcomn.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\wbem\wbemcomn.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD2676
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\repdrvfs.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\wbem\repdrvfs.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD2852
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\SysEvent.Evt_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\SysEvent.Evt_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD3109
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\wbemsvc.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\wbem\wbemsvc.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD3414
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD3499
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\wmiutils.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\wbem\wmiutils.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD3830
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\SECURITY_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\SECURITY_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD4033
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\esscli.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\wbem\esscli.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD4133
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\drivers\sptd.sys_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\drivers\sptd.sys_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD4752
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD4823
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\en-US\urlmon.dll.mui_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\en-US\urlmon.dll.mui_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD5378
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\SECURITY.LOG_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\SECURITY.LOG_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD5602
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\SAM_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\SAM_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD6276
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\fastprox.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\wbem\fastprox.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD6344
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\software_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\software_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD6902
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\system.LOG_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\system.LOG_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD6942
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\software.LOG_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\software.LOG_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD7490
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\wmiprvsd.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\wbem\wmiprvsd.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD7539
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD7687
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\Internet.evt_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\Internet.evt_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
2nd part
Located: HK_CU:RunOnce, SpybotDeletingD7784
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD8104
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\default.LOG_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\default.LOG_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD8139
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\Setup\setupqry.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\Setup\setupqry.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD8654
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\wbemprox.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\wbem\wbemprox.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD8865
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\config\default_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\config\default_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD8943
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD8975
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP_tobedeleted"
file: cmd /c del "C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP_tobedeleted"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD9485
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\ncprov.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\wbem\ncprov.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD9527
where: PE_C0_S-1-5-21-1957994488-492894223-839522115-500...
command: cmd /c del "C:\WINDOWS\system32\wbem\framedyn.dll_tobedeleted_old"
file: cmd /c del "C:\WINDOWS\system32\wbem\framedyn.dll_tobedeleted_old"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe
where: PE_C_STALLION...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
Located: HK_CU:Run, msnmsgr
where: PE_C_STALLION...
command: "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
file: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 5724184
MD5: A8972A2F9A744DD5EE0BFE429D767F1C
Located: HK_CU:Run, MSMSGS
where: S-1-5-21-1957994488-492894223-839522115-1003...
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1667584
MD5: B53343FE60A33EE765C2476D50D27B26
Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1957994488-492894223-839522115-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1
Located: Startup (common), Microsoft Office.lnk
where: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5BC65464354A9FD3BEAA28E18839734A
Located: Startup (user), Secunia PSI.lnk
where: C:\Documents and Settings\Michael.MJD-KLI8V24JPWT\Start Menu\Programs\Startup...
command: C:\Program Files\Secunia\PSI\psi.exe
file: C:\Program Files\Secunia\PSI\psi.exe
size: 748840
MD5: 098E56DB661F7DD5AE413B80AC61D26F
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 10/23/2006 2:08:42 AM
Date (last access): 3/1/2009 5:37:42 PM
Date (last write): 10/23/2006 2:08:42 AM
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 9/5/2008 6:25:20 PM
Date (last access): 3/1/2009 5:17:12 PM
Date (last write): 9/15/2008 1:25:44 PM
Filesize: 1562960
Attributes: readonly hidden sysfile archive
MD5: 35F73F1936BDE91F1B6995510A61E7A8
CRC32: BE6A5D15
Version: 1.6.2.14
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} (NCO 2.0 IE BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: NCO 2.0 IE BHO
CLSID name:
Path: C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\
Long name: CoIEPlg.dll
Short name:
Date (created): 8/24/2007 10:51:56 PM
Date (last access): 3/1/2009 5:37:42 PM
Date (last write): 8/24/2007 10:51:56 PM
Filesize: 316784
Attributes: archive
MD5: 6BC066FCC66BB0EE33A618EBC65683D5
CRC32: D7E3A9BB
Version: 2008.2.0.84
{6D53EC84-6AAE-4787-AEEE-F4628F01010C} (Symantec Intrusion Prevention)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Symantec Intrusion Prevention
CLSID name: Symantec Intrusion Prevention
Path: C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\
Long name: IPSBHO.dll
Short name:
Date (created): 2/15/2009 4:12:40 PM
Date (last access): 3/1/2009 5:37:42 PM
Date (last write): 2/15/2009 5:02:08 PM
Filesize: 116088
Attributes: archive
MD5: FA3E00177B57D5B2BF058D560931D750
CRC32: DF9D41CC
Version: 8.2.0.86
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (Java(tm) Plug-In SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: ssv.dll
Short name:
Date (created): 3/1/2009 4:42:28 AM
Date (last access): 3/1/2009 5:37:48 PM
Date (last write): 3/1/2009 4:42:28 AM
Filesize: 320920
Attributes: archive
MD5: 35E6FB6E6003BD54A5D69C9C1C762192
CRC32: 9699660C
Version: 6.0.110.3
{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 3/1/2009 4:42:28 AM
Date (last access): 3/1/2009 5:37:48 PM
Date (last write): 3/1/2009 4:42:28 AM
Filesize: 34816
Attributes: archive
MD5: 5D57FD3DF32DC69CEC3D1D54B4C43162
CRC32: D7C13FB2
Version: 6.0.110.3
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: JQSIEStartDetectorImpl
CLSID name: JQSIEStartDetectorImpl Class
Path: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\
Long name: jqs_plugin.dll
Short name: JQS_PL~1.DLL
Date (created): 3/1/2009 4:42:28 AM
Date (last access): 3/1/2009 5:37:50 PM
Date (last write): 3/1/2009 4:42:28 AM
Filesize: 73728
Attributes: archive
MD5: F68EDAFE003F2B3523C0742CD3B8D673
CRC32: 9C709350
Version: 6.0.110.3
--- ActiveX list ---
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
DPF name:
CLSID name: Symantec AntiVirus scanner
Installer: C:\WINDOWS\Downloaded Program Files\avsniff.inf
Codebase: http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
description: Symantec online scanner
classification: Legitimate
known filename: AVSNIFF.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\Downloaded Program Files\
Long name: avsniff.dll
Short name:
Date (created): 2/3/2009 6:24:26 PM
Date (last access): 3/1/2009 5:15:34 AM
Date (last write): 2/3/2009 6:24:26 PM
Filesize: 312680
Attributes: archive
MD5: F8240A3428F9A5FE2534D77EF60688CF
CRC32: 2F1ED1B7
Version: 2006.2.22.58
{644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
DPF name:
CLSID name: Symantec RuFSI Utility Class
Installer: C:\WINDOWS\Downloaded Program Files\CabSA.inf
Codebase: http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: rufsi.dll
Short name:
Date (created): 2/3/2009 6:24:36 PM
Date (last access): 3/1/2009 5:15:34 AM
Date (last write): 2/3/2009 6:24:36 PM
Filesize: 296336
Attributes: archive
MD5: 291BFFAD30A256EB99799506228C0BED
CRC32: 314861C6
Version: 2006.2.15.43
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_11
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_11.dll
Short name: NPJPI1~1.DLL
Date (created): 3/1/2009 4:42:28 AM
Date (last access): 3/1/2009 5:07:30 AM
Date (last write): 3/1/2009 4:42:28 AM
Filesize: 132504
Attributes: archive
MD5: D400116F6776ACB6EDB6B1F5EEB9F92D
CRC32: CECB5751
Version: 6.0.110.3
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_11
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_11.dll
Short name: NPJPI1~1.DLL
Date (created): 3/1/2009 4:42:28 AM
Date (last access): 3/1/2009 5:41:50 PM
Date (last write): 3/1/2009 4:42:28 AM
Filesize: 132504
Attributes: archive
MD5: D400116F6776ACB6EDB6B1F5EEB9F92D
CRC32: CECB5751
Version: 6.0.110.3
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_11
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_11.dll
Short name: NPJPI1~1.DLL
Date (created): 3/1/2009 4:42:28 AM
Date (last access): 3/1/2009 5:41:50 PM
Date (last write): 3/1/2009 4:42:28 AM
Filesize: 132504
Attributes: archive
MD5: D400116F6776ACB6EDB6B1F5EEB9F92D
CRC32: CECB5751
Version: 6.0.110.3
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash10b.ocx
Short name:
Date (created): 2/2/2009 9:07:18 PM
Date (last access): 3/1/2009 5:38:08 PM
Date (last write): 2/2/2009 9:07:18 PM
Filesize: 3866528
Attributes: readonly archive
MD5: 8AFC17155ED5AB60B7C52D7F553D579C
CRC32: 0FBC13F3
Version: 10.0.22.87
--- Process list ---
PID: 0 ( 0) [System]
PID: 844 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 892 ( 844) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 916 ( 844) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 960 ( 916) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 972 ( 916) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 1132 ( 960) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1208 ( 960) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1368 ( 960) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1448 ( 960) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1524 ( 960) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1764 ( 960) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
size: 149352
MD5: 2F237AAB91497AAA03AF48EAE68758FC
PID: 2044 (1960) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 456 ( 960) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: 7435B108B935E42EA92CA94F59C8E717
PID: 592 (2044) C:\Program Files\Real\RealPlayer\RealPlay.exe
size: 26112
MD5: 849D97FE4CC09CFC2772D10F641E1BAF
PID: 644 ( 628) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
size: 149352
MD5: 2F237AAB91497AAA03AF48EAE68758FC
PID: 1040 (2044) C:\Program Files\Messenger\msmsgs.exe
size: 1667584
MD5: B53343FE60A33EE765C2476D50D27B26
PID: 1252 ( 960) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
size: 132424
MD5: A8AA9D47F971570A5162B862B80F87E8
PID: 1332 ( 960) C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
size: 243064
MD5: 7C813EB232C7AEFA627A12A104DDA221
PID: 1748 ( 960) C:\Program Files\Bonjour\mDNSResponder.exe
size: 238888
MD5: 9EFE4236F8670846B6E7C5B0EFF6E715
PID: 544 ( 960) C:\WINDOWS\wanmpsvc.exe
size: 65536
MD5: 909F2DC0DA7F57D229A05EE90647B2C3
PID: 2596 ( 960) C:\Program Files\iPod\bin\iPodService.exe
size: 536872
MD5: 62937A89470AF8FF172F0980CA8AEFC9
PID: 3000 ( 960) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 2784 (1368) C:\WINDOWS\system32\wuauclt.exe
size: 51224
MD5: E654B78D2F1D791B30D0ED9A8195EC22
PID: 3808 ( 640) C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 9C9B6807425CEF840C117654D8B033D1
PID: 4028 (3984) C:\Program Files\iTunes\iTunesHelper.exe
size: 290088
MD5: E6A4E341E4304B34AA280D3E73818C90
PID: 4012 ( 960) C:\Program Files\Java\jre6\bin\jqs.exe
size: 152984
MD5: 32192B4EBE8720ED8D49A455C962CB91
PID: 2556 ( 960) C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
size: 1251720
MD5: FA2F6A8849219B16460BF44F9D1F3AA7
PID: 504 (3848) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 3420 (3848) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1
PID: 548 (2044) C:\Program Files\Internet Explorer\IEXPLORE.EXE
size: 93184
MD5: E7484514C0464642BE7B4DC2689354C8
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 3/1/2009 5:41:49 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C72DF3F6-AD1D-4BB0-A305-DA6B1C59C039}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C72DF3F6-AD1D-4BB0-A305-DA6B1C59C039}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{77094E9D-0ABE-4CAC-A287-2DF33A5B8328}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{77094E9D-0ABE-4CAC-A287-2DF33A5B8328}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{91F066D0-5934-4943-BF83-567F30ACC7F3}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{91F066D0-5934-4943-BF83-567F30ACC7F3}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C32119CD-BDED-43F2-A2E0-83EFF99390E2}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C32119CD-BDED-43F2-A2E0-83EFF99390E2}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4538577C-5DD3-4F71-ADF0-ADA891C4FB50}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4538577C-5DD3-4F71-ADF0-ADA891C4FB50}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2500618D-504B-4725-AA4A-966BF1E10E98}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2500618D-504B-4725-AA4A-966BF1E10E98}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 3: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP
pskelley
2009-03-02, 12:58
Spybot S&D is finding two items, here is information about the first:
http://www.safer-networking.org/en/faq/46.html
http://www.safer-networking.org/en/faq/index.html <<< faq's
The other is a cookie that you removed. Here is information to help control cookies:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
Any other malware issues?
Thanks
Thanks,
So it appears that there is no malware.
But, I still cannot access virus scan through norton. Is there a way to uninstall norton completely and reinstall (including all orphaned files on all drives, without losing 1 of the three allowed installations). There website isn't the most user friendly.
And
1) Can I scan system in safe mode and see the results or will I get false issues(if any)? Or // Will the issues be real(if any)?
2) Can I leave Teatimer turned
Rgds
pskelley
2009-03-02, 16:48
But, I still cannot access virus scan through norton.
Ask your questions about Norton here:
http://www.symantec.com/enterprise/support/index.jsp
I have never run it and have no plans to.
Beyond that, it's your computer, you may do as you wish, but I would appreciate it if you do this first.
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)
Update Norton/Symantec and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
If all is well at this point, let me know and I will close the topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
Uninstalled combofix, used Mbam and found 1 issue, log at bottom of post.
Could not run Norton virus scan, no access.
Important****
I can longer use msconfig to put system in to safe mode. (boot.ini is dimmed)
According to the boot info, the path to system restore is not valid.
Using F8, I tried to select safe mode with networking and I ended up in with the hard drive on constantly with no action on the screen.I think it was trying to load but perhaps in a loop.
Any Suggestions as I am almost at the point of backing up or burning my critical files and reformatting the hard drive!
Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 2
3/3/2009 12:43:59 AM
mbam-log-2009-03-03 (00-43-59).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 347550
Time elapsed: 4 hour(s), 11 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
D:\WINDOWS\system32\bszip.dll (Worm.P2P) -> Quarantined and deleted successfully.
pskelley
2009-03-04, 14:16
D:\WINDOWS\system32\bszip.dll (Worm.P2P) -> Quarantined and deleted successfully.
Any Suggestions as I am almost at the point of backing up or burning my critical files and reformatting the hard drive!
Good time to do it while the computer is clean.
Could not run Norton virus scan, no access.
Not understanding what "no access" means? If you have problems with Symantec/Norton, you need to contact technical support:
http://www.symantec.com/enterprise/support/index.jsp
From the issues you are reporting, you might wish to consider either a Repair Install of your OS:
http://www.michaelstevenstech.com/XPrepairinstall.htm
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx
or even a reinstallation:
http://www.pcworld.com/article/129977/how_to_reinstall_windows_xp.html
http://www.michaelstevenstech.com/cleanxpinstall.html
If you want to troubleshoot individual issues, I need the errors word for word, exactly and Windows giove them to you. For instance:
"the path to system restore is not valid" <<< this returns this:
http://www.google.com/search?hl=en&q=the+path+to+system+restore+is+not+valid&btnG=Search
I have no idea what the actual error might return?
Thanks
In msconfig under check boot.in, check all boot paths
exact wording is:
It appears that the following line in the boot.ini file does not refer to a valid operating system.
"c:\cmdcons\bootsect.data="microsoft windows recovery console"/cmdcons"
Would you like to remove it from teh boot.ini?
As far as norton goes , there is no option(button, command etc. ) available now to allow you to scan for viruses. It has diappeared.
pskelley
2009-03-04, 14:43
This is what I get when I Google:
It appears that the following line in the boot.ini file does not refer to a valid operating system
http://www.google.com/search?hl=en&q=It+appears+that+the+following+line+in+the+boot.ini+file+does+not+refer+to+a+valid+operating+system&btnG=Search
and when I Google:
c:\cmdcons\bootsect.data="microsoft windows recovery console"/cmdcons
http://support.microsoft.com/kb/216417
You might want to ask that questions here:
http://support.microsoft.com/
Once again, since I am not a Norton/Symantec technician, I suggest you ask them questions dealing with their programs.
Thanks
Thanks for all of your assistance.
You can close the thread.
Rgds