pumpkin
2009-09-26, 21:28
Hi,
I wondered if anyone could very kindly put my mind at rest. I have always had Bullguard installed on my computer and thought that doing weekly scans were enough. However, a couple of weeks ago I downloaded and ran Spybot S & D. It found various nasties including the following:
ProData.DoctorKeylogger: [SBI $3643F5FF] Library (File, nothing done)
C:\Windows\System32\Urncbc.dll
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Properties.filedate=1203625954
Properties.filedatetext=2008-02-21 21:32:33
I am pretty sure I picked this up along the way when I was downloading internet-eraser. Anyhow, Spybot gave the above a low risk rating. My question is this, - was the above active and if so, for how long. proData.Doctor is not mentioned anywhere else in the search report.
Here is the full report:roData.DoctorKeylogger: [SBI $3643F5FF] Library (File, nothing done)
C:\Windows\System32\Urncbc.dll
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Properties.filedate=1203625954
Properties.filedatetext=2008-02-21 21:32:33
AdwareAlert: [SBI $4B7BCDE7] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DisabledRun
AdwareAlert: [SBI $714BCC83] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DisabledUninstall
AdwareAlert: [SBI $5BD92570] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DisabledBHO
EvidenceEraser: [SBI $57BE58D8] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\EvidenceEraser
EvidenceEraser: [SBI $A4839810] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\EvidenceEraser\
EvidenceEraser: [SBI $07DBFBB7] Log file (File, nothing done)
C:\Users\brando\AppData\Roaming\EvidenceEraser\Log\2008 Sep 04 - 01_26_40 AM_657.log
Properties.size=303
Properties.md5=B3FD08340BCE340FF2162ADD146BCD0E
Properties.filedate=1220488009
Properties.filedatetext=2008-09-04 01:26:48
EvidenceEraser: [SBI $07DBFBB7] Log file (File, nothing done)
C:\Users\brando\AppData\Roaming\EvidenceEraser\Log\2008 Sep 04 - 01_26_49 AM_376.log
Properties.size=347
Properties.md5=0909A38502F9BF21E0B4029BB0980660
Properties.filedate=1220488022
Properties.filedatetext=2008-09-04 01:27:01
EvidenceEraser: [SBI $07DBFBB7] Log file (File, nothing done)
C:\Users\brando\AppData\Roaming\EvidenceEraser\Log\2008 Sep 04 - 01_27_14 AM_829.log
Properties.size=305
Properties.md5=287E1D4CC7FA8419E5B3FDAC10C35545
Properties.filedate=1220488035
Properties.filedatetext=2008-09-04 01:27:14
EvidenceEraser: [SBI $07DBFBB7] Log file (File, nothing done)
C:\Users\brando\AppData\Roaming\EvidenceEraser\Log\2008 Sep 04 - 01_27_14 AM_860.log
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Properties.filedate=1220488035
Properties.filedatetext=2008-09-04 01:27:14
EvidenceEraser: [SBI $07DBFBB7] Log file (File, nothing done)
C:\Users\brando\AppData\Roaming\EvidenceEraser\Log\2008 Sep 04 - 01_27_36 AM_980.log
Properties.size=303
Properties.md5=C8F4D5667776CC9D0DBCC874598B954B
Properties.filedate=1220488057
Properties.filedatetext=2008-09-04 01:27:37
MalwareRemovalBot: [SBI $2D80A25D] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\MalwareRemovalBot
MalwareRemovalBot: [SBI $65C74BA9] Program directory (Directory, nothing done)
C:\Users\brando\AppData\Roaming\MalwareRemovalBot\
MalwareRemovalBot: [SBI $FFFCB65E] Program directory (Directory, nothing done)
C:\Users\brando\AppData\Roaming\MalwareRemovalBot\Log\
MalwareRemovalBot: [SBI $BF407717] Text file (File, nothing done)
C:\Users\brando\AppData\Roaming\MalwareRemovalBot\Log\2009 Mar 15 - 03_06_29 PM_147.log
Properties.size=8613
Properties.md5=F9035796CD39781AD6530DA34EBEBF7F
Properties.filedate=1237150751
Properties.filedatetext=2009-03-15 21:59:11
MalwareRemovalBot: [SBI $EB8B3F9E] Program directory (Directory, nothing done)
C:\Users\brando\AppData\Roaming\MalwareRemovalBot\Settings\
SpySheriff: [SBI $F18F24AD] Class ID (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
SpySheriff: [SBI $D4B25EE3] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
WinClear: [SBI $FEBA64B2] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\DiskCleaner
WinClear: [SBI $6F5B00A8] Program directory (Directory, nothing done)
C:\Program Files\WinClear\logs\
Smitfraud-C.: [SBI $D3A9FFF8] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons
Smitfraud-C.: [SBI $CDD81F06] IE toolbar (Registry value, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c}
Smitfraud-C.: [SBI $D69B9311] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6}
Smitfraud-C.: [SBI $14D16881] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\applications\accessdiver.exe\shell
Smitfraud-C.: [SBI $C4E34F71] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656A137-B161-CADD-9777-E37A75727E78}
Smitfraud-C.: [SBI $C94F51E0] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\applications\accessdiver.exe
Smitfraud-C.: [SBI $F5BA7F10] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\clsid\{0B682CC1-FB40-4006-A5DD-99EDD3C9095D}
Smitfraud-C.: [SBI $29B76CCC] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\clsid\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c}
Smitfraud-C.: [SBI $684E1A57] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\clsid\{9dd4258a-7138-49c4-8d34-587879a5c7a4}
Smitfraud-C.: [SBI $D3703D52] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\clsid\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338}
Smitfraud-C.: [SBI $0D95E0E1] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\HOL5_VXIEWER.FULL.1
Smitfraud-C.: [SBI $B2D82C44] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\fwbd
Smitfraud-C.: [SBI $29CFC69E] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\HolLol
Smitfraud-C.: [SBI $1A6F031A] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\applications\accessdiver.exe
Smitfraud-C.: [SBI $FA9D614F] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{0B682CC1-FB40-4006-A5DD-99EDD3C9095D}
Smitfraud-C.: [SBI $26907293] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c}
Smitfraud-C.: [SBI $67690408] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4}
Smitfraud-C.: [SBI $06B4D625] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6}
Smitfraud-C.: [SBI $DC57230D] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338}
Smitfraud-C.gp: [SBI $A61C878B] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Mozilla\MSFox
FunWebProducts: [SBI $7AEE25A5] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
MyWay.MyWebSearch: [SBI $1D7941E9] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\AskTBar
MyWay.MyWebSearch: [SBI $0EEF2CA2] Program directory (Directory, nothing done)
C:\Program Files\AskTBar\
MyWay.MyWebSearch: [SBI $9F9EE993] Program directory (Directory, nothing done)
C:\Program Files\AskTBar\bar\
MyWay.MyWebSearch: [SBI $51932F4B] Program directory (Directory, nothing done)
C:\Program Files\AskTBar\bar\1.bin\
MyWay.MyWebSearch: [SBI $5E72E90D] Library (File, nothing done)
C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
Properties.size=245760
Properties.md5=59DBFE16AA20144CB11E7FC8B2D21EAA
Properties.filedate=1204583361
Properties.filedatetext=2008-03-03 23:29:21
Altnet: [SBI $3C8FED45] Program directory (Directory, nothing done)
c:\Program Files\Altnet\
Virtumonde: [SBI $3BE84E58] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\mwc
I had bullguard installed at the same time as the Spybot scan (I don't know if this is relevant.) - Your advice would be greatly appreciated!
I wondered if anyone could very kindly put my mind at rest. I have always had Bullguard installed on my computer and thought that doing weekly scans were enough. However, a couple of weeks ago I downloaded and ran Spybot S & D. It found various nasties including the following:
ProData.DoctorKeylogger: [SBI $3643F5FF] Library (File, nothing done)
C:\Windows\System32\Urncbc.dll
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Properties.filedate=1203625954
Properties.filedatetext=2008-02-21 21:32:33
I am pretty sure I picked this up along the way when I was downloading internet-eraser. Anyhow, Spybot gave the above a low risk rating. My question is this, - was the above active and if so, for how long. proData.Doctor is not mentioned anywhere else in the search report.
Here is the full report:roData.DoctorKeylogger: [SBI $3643F5FF] Library (File, nothing done)
C:\Windows\System32\Urncbc.dll
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Properties.filedate=1203625954
Properties.filedatetext=2008-02-21 21:32:33
AdwareAlert: [SBI $4B7BCDE7] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DisabledRun
AdwareAlert: [SBI $714BCC83] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DisabledUninstall
AdwareAlert: [SBI $5BD92570] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DisabledBHO
EvidenceEraser: [SBI $57BE58D8] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\EvidenceEraser
EvidenceEraser: [SBI $A4839810] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\EvidenceEraser\
EvidenceEraser: [SBI $07DBFBB7] Log file (File, nothing done)
C:\Users\brando\AppData\Roaming\EvidenceEraser\Log\2008 Sep 04 - 01_26_40 AM_657.log
Properties.size=303
Properties.md5=B3FD08340BCE340FF2162ADD146BCD0E
Properties.filedate=1220488009
Properties.filedatetext=2008-09-04 01:26:48
EvidenceEraser: [SBI $07DBFBB7] Log file (File, nothing done)
C:\Users\brando\AppData\Roaming\EvidenceEraser\Log\2008 Sep 04 - 01_26_49 AM_376.log
Properties.size=347
Properties.md5=0909A38502F9BF21E0B4029BB0980660
Properties.filedate=1220488022
Properties.filedatetext=2008-09-04 01:27:01
EvidenceEraser: [SBI $07DBFBB7] Log file (File, nothing done)
C:\Users\brando\AppData\Roaming\EvidenceEraser\Log\2008 Sep 04 - 01_27_14 AM_829.log
Properties.size=305
Properties.md5=287E1D4CC7FA8419E5B3FDAC10C35545
Properties.filedate=1220488035
Properties.filedatetext=2008-09-04 01:27:14
EvidenceEraser: [SBI $07DBFBB7] Log file (File, nothing done)
C:\Users\brando\AppData\Roaming\EvidenceEraser\Log\2008 Sep 04 - 01_27_14 AM_860.log
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Properties.filedate=1220488035
Properties.filedatetext=2008-09-04 01:27:14
EvidenceEraser: [SBI $07DBFBB7] Log file (File, nothing done)
C:\Users\brando\AppData\Roaming\EvidenceEraser\Log\2008 Sep 04 - 01_27_36 AM_980.log
Properties.size=303
Properties.md5=C8F4D5667776CC9D0DBCC874598B954B
Properties.filedate=1220488057
Properties.filedatetext=2008-09-04 01:27:37
MalwareRemovalBot: [SBI $2D80A25D] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\MalwareRemovalBot
MalwareRemovalBot: [SBI $65C74BA9] Program directory (Directory, nothing done)
C:\Users\brando\AppData\Roaming\MalwareRemovalBot\
MalwareRemovalBot: [SBI $FFFCB65E] Program directory (Directory, nothing done)
C:\Users\brando\AppData\Roaming\MalwareRemovalBot\Log\
MalwareRemovalBot: [SBI $BF407717] Text file (File, nothing done)
C:\Users\brando\AppData\Roaming\MalwareRemovalBot\Log\2009 Mar 15 - 03_06_29 PM_147.log
Properties.size=8613
Properties.md5=F9035796CD39781AD6530DA34EBEBF7F
Properties.filedate=1237150751
Properties.filedatetext=2009-03-15 21:59:11
MalwareRemovalBot: [SBI $EB8B3F9E] Program directory (Directory, nothing done)
C:\Users\brando\AppData\Roaming\MalwareRemovalBot\Settings\
SpySheriff: [SBI $F18F24AD] Class ID (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
SpySheriff: [SBI $D4B25EE3] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
WinClear: [SBI $FEBA64B2] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\DiskCleaner
WinClear: [SBI $6F5B00A8] Program directory (Directory, nothing done)
C:\Program Files\WinClear\logs\
Smitfraud-C.: [SBI $D3A9FFF8] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons
Smitfraud-C.: [SBI $CDD81F06] IE toolbar (Registry value, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c}
Smitfraud-C.: [SBI $D69B9311] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6}
Smitfraud-C.: [SBI $14D16881] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\applications\accessdiver.exe\shell
Smitfraud-C.: [SBI $C4E34F71] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656A137-B161-CADD-9777-E37A75727E78}
Smitfraud-C.: [SBI $C94F51E0] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\applications\accessdiver.exe
Smitfraud-C.: [SBI $F5BA7F10] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\clsid\{0B682CC1-FB40-4006-A5DD-99EDD3C9095D}
Smitfraud-C.: [SBI $29B76CCC] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\clsid\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c}
Smitfraud-C.: [SBI $684E1A57] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\clsid\{9dd4258a-7138-49c4-8d34-587879a5c7a4}
Smitfraud-C.: [SBI $D3703D52] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\clsid\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338}
Smitfraud-C.: [SBI $0D95E0E1] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\Classes\HOL5_VXIEWER.FULL.1
Smitfraud-C.: [SBI $B2D82C44] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\fwbd
Smitfraud-C.: [SBI $29CFC69E] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\HolLol
Smitfraud-C.: [SBI $1A6F031A] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\applications\accessdiver.exe
Smitfraud-C.: [SBI $FA9D614F] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{0B682CC1-FB40-4006-A5DD-99EDD3C9095D}
Smitfraud-C.: [SBI $26907293] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c}
Smitfraud-C.: [SBI $67690408] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4}
Smitfraud-C.: [SBI $06B4D625] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6}
Smitfraud-C.: [SBI $DC57230D] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338}
Smitfraud-C.gp: [SBI $A61C878B] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Mozilla\MSFox
FunWebProducts: [SBI $7AEE25A5] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
MyWay.MyWebSearch: [SBI $1D7941E9] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\AskTBar
MyWay.MyWebSearch: [SBI $0EEF2CA2] Program directory (Directory, nothing done)
C:\Program Files\AskTBar\
MyWay.MyWebSearch: [SBI $9F9EE993] Program directory (Directory, nothing done)
C:\Program Files\AskTBar\bar\
MyWay.MyWebSearch: [SBI $51932F4B] Program directory (Directory, nothing done)
C:\Program Files\AskTBar\bar\1.bin\
MyWay.MyWebSearch: [SBI $5E72E90D] Library (File, nothing done)
C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
Properties.size=245760
Properties.md5=59DBFE16AA20144CB11E7FC8B2D21EAA
Properties.filedate=1204583361
Properties.filedatetext=2008-03-03 23:29:21
Altnet: [SBI $3C8FED45] Program directory (Directory, nothing done)
c:\Program Files\Altnet\
Virtumonde: [SBI $3BE84E58] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-872071702-2096358385-386870123-1000\Software\mwc
I had bullguard installed at the same time as the Spybot scan (I don't know if this is relevant.) - Your advice would be greatly appreciated!