View Full Version : Virtumonde Removal - Assistance Request
Spybot has often detected Virtumonde on my home computer. Assistance from Spybot Team will be appreciated to remove Virtumonde.
I have read the forum procedures and will try to adhere as closely as possible. My hijackthis.log is as follows -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:43 PM, on 10/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Documents and Settings\Hogan1\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Hogan1\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 127.0.0.2 ls.johnbokma.com # one of my customers personal site. ls = local_sites
O1 - Hosts: 127.0.0.4 ls.tkt2.com # This site for testing purposes.
O1 - Hosts: 127.0.0.5 ls.tktblog.com # My test blog.
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue Quick Access] "C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe" /startup
O4 - HKCU\..\Run: [RestoreDesktop] C:\Program Files\Restore Desktop\RestoreDesktop.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Hogan1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://help.live.com
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: http://safety.live.com
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
--
End of file - 7830 bytes
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
I will be back as soon as possible with your first instructions!
Step # 1: Remove Hijackthis Entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Step # 2 Download and run DDS
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 3: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
In your next post/reply, I need to see the following:
1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log
Use multiple posts if you can't fit everything into one post.
@ km2357,
Hi and my appreciation for giving your valuable time towards my request for assistance.
1. Have read your instructions carefully and tried to follow them to the letter except ( surprises sometimes happens ) two minor ( hopefully ) deviations.
(a) I disabled Avast on-access protection, Spybot tea-timer and windows firewall while running dds and gmer.
(b) I have copy-pasted attach.txt as per forum rules instead of sending an attachment. I also have saved a copy of attach.zip on my desktop. Should you require the attach.zip, I will attach the zip file.
2. Below are the dds.txt, attach.txt and gmer.txt. I will eagerly await further instructions from my mentor.
DDS (Ver_09-10-13.01) - NTFSx86
Run by Hogan1 at 3:44:06.10 on Wed 10/21/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.448 [GMT 8:00]
AV: avast! antivirus 4.8.1356 [VPS 091020-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Documents and Settings\Hogan1\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Hogan1\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
BHO: SpywareBlock Class: {0a87e45f-537a-40b4-b812-e2544c21a09f} - c:\program files\spycatcher\SCActiveBlock.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue Quick Access] "c:\program files\uniblue\processlibrary\qaccess.exe" /startup
uRun: [RestoreDesktop] c:\program files\restore desktop\RestoreDesktop.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Google Update] "c:\documents and settings\hogan1\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: live.com\help
Trusted Zone: live.com\onecare
Trusted Zone: live.com\safety
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\hogan1\applic~1\mozilla\firefox\profiles\slshlhev.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\hogan1\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-2 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-2 20560]
S3 PCAlertDriver;PCAlertDriver;\??\c:\biostools\ntglm7x.sys --> c:\biostools\NTGLM7X.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S4 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2007-1-9 20539]
=============== Created Last 30 ================
2009-10-03 13:49 <DIR> --d----- c:\program files\common files\xing shared
2009-10-03 05:57 <DIR> --d----- c:\program files\JRE
2009-10-03 05:57 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-10-03 03:00 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-03 02:08 <DIR> --d----- c:\program files\Secunia
2009-09-29 15:35 13,894 a------- c:\windows\system32\dllcache\zonelibm.dll
2009-09-29 15:35 113,222 a------- c:\windows\system32\dllcache\zoneclim.dll
2009-09-29 15:35 41,029 a------- c:\windows\system32\dllcache\zcorem.dll
2009-09-29 15:35 29,760 a------- c:\windows\system32\dllcache\znetm.dll
2009-09-29 15:35 4,677 a------- c:\windows\system32\dllcache\zeeverm.dll
2009-09-29 15:33 34,890 a------- c:\windows\system32\dllcache\wlandrv2.sys
2009-09-29 15:32 24,576 a------- c:\windows\system32\dllcache\viairda.sys
2009-09-29 15:31 22,912 a------- c:\windows\system32\dllcache\umaxpcls.sys
2009-09-29 15:30 4,992 a------- c:\windows\system32\dllcache\toside.sys
2009-09-29 15:29 3,968 a------- c:\windows\system32\dllcache\swusbflt.sys
2009-09-29 15:28 37,040 a------- c:\windows\system32\dllcache\sonypi.sys
2009-09-29 15:27 11,136 a------- c:\windows\system32\dllcache\slip.sys
2009-09-29 15:26 6,784 a------- c:\windows\system32\dllcache\serscan.sys
2009-09-29 15:25 41,216 a------- c:\windows\system32\dllcache\s3mt3d.sys
2009-09-29 15:24 899,146 a------- c:\windows\system32\dllcache\r2mdkxga.sys
2009-09-29 15:23 17,792 a------- c:\windows\system32\dllcache\ppa.sys
2009-09-29 15:22 26,153 a------- c:\windows\system32\dllcache\pcmlm56.sys
2009-09-29 15:21 123,776 a------- c:\windows\system32\dllcache\nv3.dll
2009-09-29 15:20 35,392 a------- c:\windows\system32\dllcache\n9i128.dll
2009-09-29 15:19 17,280 a------- c:\windows\system32\dllcache\mraid35x.sys
2009-09-29 15:18 802,683 a------- c:\windows\system32\dllcache\ltsm.sys
2009-09-29 15:17 6,144 a------- c:\windows\system32\dllcache\kbd101b.dll
2009-09-29 15:16 26,624 a------- c:\windows\system32\dllcache\icam3ext.dll
2009-09-29 15:15 19,456 a------- c:\windows\system32\dllcache\hr1w.dll
2009-09-29 15:14 320,384 a------- c:\windows\system32\dllcache\g200m.sys
2009-09-29 15:13 137,088 a------- c:\windows\system32\dllcache\essm2e.sys
2009-09-29 15:12 50,719 a------- c:\windows\system32\dllcache\e1000nt5.sys
2009-09-29 15:11 63,208 a------- c:\windows\system32\dllcache\dc21x4.sys
2009-09-29 15:10 22,044 a------- c:\windows\system32\dllcache\cem33n5.sys
2009-09-29 15:09 1,817,687 a------- c:\windows\system32\dllcache\bckgres.dll
2009-09-29 15:08 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll
2009-09-27 20:18 32,768 a------- c:\windows\system32\CleanMem.exe
2009-09-27 20:18 <DIR> --d----- c:\windows\CleanMem
2009-09-27 20:18 <DIR> --d----- c:\program files\CleanMem
==================== Find3M ====================
2009-10-03 05:56 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-11 22:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 22:18 136,192 a------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-05 05:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-05 05:03 58,880 a------- c:\windows\system32\dllcache\msasn1.dll
2009-08-26 16:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 16:00 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 17:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 17:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 23:13 2,145,280 a------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 22:20 2,023,936 a------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 22:20 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 22:20 2,066,048 a------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-04 20:44 2,189,184 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 20:44 2,189,184 a------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-08-27 14:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat
============= FINISH: 3:44:41.50 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-10-13.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/11/2006 11:54:07 AM
System Uptime: 10/20/2009 8:11:26 AM (19 hours ago)
Motherboard: MSI | | 09AC
Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 939 | 1994/199mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 58.171 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom NetXtreme Gigabit Ethernet
Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_3009103C&REV_20\4&19F7B2C2&0&0028
Manufacturer: Broadcom
Name: Broadcom NetXtreme Gigabit Ethernet
PNP Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_3009103C&REV_20\4&19F7B2C2&0&0028
Service: b57w2k
==== System Restore Points ===================
RP898: 7/22/2009 10:06:42 AM - System Checkpoint
RP899: 7/23/2009 7:29:36 AM - Software Distribution Service 3.0
RP900: 7/24/2009 7:42:58 AM - Software Distribution Service 3.0
RP901: 7/25/2009 5:53:14 PM - System Checkpoint
RP902: 7/26/2009 11:59:44 PM - System Checkpoint
RP903: 7/28/2009 8:27:44 AM - Software Distribution Service 3.0
RP904: 7/29/2009 1:02:39 PM - System Checkpoint
RP905: 7/30/2009 7:25:01 AM - Software Distribution Service 3.0
RP906: 7/31/2009 7:40:02 AM - System Checkpoint
RP907: 7/31/2009 11:23:35 AM - Software Distribution Service 3.0
RP908: 8/1/2009 11:41:10 AM - System Checkpoint
RP909: 8/2/2009 12:23:15 PM - System Checkpoint
RP910: 8/3/2009 12:58:09 PM - System Checkpoint
RP911: 8/4/2009 12:11:02 PM - Software Distribution Service 3.0
RP912: 8/5/2009 1:00:31 PM - System Checkpoint
RP913: 8/6/2009 2:15:50 PM - System Checkpoint
RP914: 8/7/2009 3:15:55 PM - System Checkpoint
RP915: 8/7/2009 3:20:30 PM - Software Distribution Service 3.0
RP916: 8/8/2009 7:51:00 PM - System Checkpoint
RP917: 8/10/2009 9:47:13 AM - System Checkpoint
RP918: 8/11/2009 10:38:30 AM - Software Distribution Service 3.0
RP919: 8/12/2009 10:41:30 AM - System Checkpoint
RP920: 8/16/2009 7:30:26 AM - Software Distribution Service 3.0
RP921: 8/16/2009 7:47:35 AM - Installed Java(TM) 6 Update 15
RP922: 8/16/2009 7:54:02 AM - Windows Defender Checkpoint
RP923: 8/17/2009 8:47:36 AM - Software Distribution Service 3.0
RP924: 8/18/2009 12:15:02 PM - System Checkpoint
RP925: 8/18/2009 1:54:14 PM - Software Distribution Service 3.0
RP926: 8/20/2009 10:09:17 PM - System Checkpoint
RP927: 8/21/2009 7:13:45 AM - Software Distribution Service 3.0
RP928: 8/22/2009 9:07:46 AM - System Checkpoint
RP929: 8/23/2009 1:29:34 PM - System Checkpoint
RP930: 8/24/2009 11:58:51 PM - System Checkpoint
RP931: 8/25/2009 8:48:36 AM - Software Distribution Service 3.0
RP932: 8/26/2009 10:32:15 AM - System Checkpoint
RP933: 8/27/2009 3:00:19 AM - Software Distribution Service 3.0
RP934: 8/28/2009 8:53:27 AM - Software Distribution Service 3.0
RP935: 8/29/2009 11:04:34 AM - System Checkpoint
RP936: 8/30/2009 9:08:45 PM - System Checkpoint
RP937: 9/1/2009 7:22:40 AM - Software Distribution Service 3.0
RP938: 9/1/2009 8:16:37 AM - Software Distribution Service 3.0
RP939: 9/2/2009 9:43:39 AM - System Checkpoint
RP940: 9/13/2009 7:46:39 AM - Software Distribution Service 3.0
RP941: 9/14/2009 11:20:15 AM - Software Distribution Service 3.0
RP942: 9/15/2009 11:19:16 AM - Software Distribution Service 3.0
RP943: 9/16/2009 12:06:34 PM - System Checkpoint
RP944: 9/17/2009 3:20:25 PM - System Checkpoint
RP945: 9/18/2009 11:05:09 AM - Software Distribution Service 3.0
RP946: 9/19/2009 2:50:04 PM - System Checkpoint
RP947: 9/21/2009 12:34:09 AM - System Checkpoint
RP948: 9/22/2009 12:36:01 AM - Software Distribution Service 3.0
RP949: 9/23/2009 5:18:18 PM - System Checkpoint
RP950: 9/24/2009 5:29:30 PM - System Checkpoint
RP951: 9/25/2009 8:34:50 AM - Software Distribution Service 3.0
RP952: 9/26/2009 11:06:01 AM - Software Distribution Service 3.0
RP953: 9/27/2009 12:48:47 PM - System Checkpoint
RP954: 9/28/2009 1:28:14 PM - System Checkpoint
RP955: 9/29/2009 11:22:55 AM - Software Distribution Service 3.0
RP956: 9/29/2009 1:45:09 PM - Removed Opera 10.00
RP957: 9/29/2009 1:46:55 PM - Installed Opera 10.00.
RP958: 9/30/2009 2:59:59 PM - Software Distribution Service 3.0
RP959: 9/30/2009 9:58:24 PM - restorePoint20090930
RP960: 10/1/2009 9:59:13 PM - System Checkpoint
RP961: 10/3/2009 2:34:08 AM - System Checkpoint
RP962: 10/3/2009 3:00:24 AM - Software Distribution Service 3.0
RP963: 10/3/2009 5:41:36 AM - Removed OpenOffice.org 2.1
RP964: 10/3/2009 5:55:50 AM - Removed Java(TM) 6 Update 11
RP965: 10/3/2009 5:56:25 AM - Installed Java(TM) 6 Update 16
RP966: 10/3/2009 5:57:12 AM - Installed OpenOffice.org 3.1
RP967: 10/3/2009 6:33:00 AM - Installed Retrospect 6.5
RP968: 10/3/2009 2:09:29 PM - Removed Java(TM) 6 Update 3
RP969: 10/3/2009 2:10:15 PM - Removed Java(TM) 6 Update 5
RP970: 10/3/2009 2:10:48 PM - Removed Java(TM) 6 Update 7
RP971: 10/18/2009 8:23:08 AM - Software Distribution Service 3.0
RP972: 10/18/2009 10:57:18 AM - Software Distribution Service 3.0
RP973: 10/19/2009 11:19:06 AM - System Checkpoint
RP974: 10/19/2009 9:51:46 PM - Software Distribution Service 3.0
==== Installed Programs ======================
7-Zip 4.64
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apache HTTP Server 2.2.4
Apple Software Update
Athlon 64 Processor Driver
ATI Control Panel
ATI Display Driver
avast! Antivirus
Broadcom Management Programs
CamStudio
Canon MP Navigator 3.0
Canon MP160
CleanMem
Critical Update for Windows Media Player 11 (KB959772)
EasyCleaner
ERUNT 1.1j
FastSum 1.5 Standard Edition and FastSum 1.9 Command-Line Editi
FileZilla Client 3.2.7.1
Free Download Manager 2.0
Google Chrome
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP Help and Support
HP Safety and Comfort Guide
ImageMagick 6.5.1-8 Q16 (2009-05-01)
InterVideo WinDVD
Java(TM) 6 Update 16
LightScribe 1.4.84.1
Macromedia Dreamweaver 8
Macromedia Extension Manager
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.5.3)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MySQL Server 5.0
OpenOffice.org 3.1
Opera 10.00
QuickTime
RealPlayer
Restore Desktop (remove only)
Retrospect 6.5
Roxio Easy Media Creator 7 Basic Edition
Ruby-186-26
Secunia PSI
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Serif PhotoPlus 6.0
Software Setup
Spybot - Search & Destroy
Sumatra PDF reader
Uniblue Quick Access
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
==== Event Viewer Messages From Past Week ========
10/18/2009 11:04:12 AM, error: ati2mtag [45062] - CRT invalid display type
10/18/2009 10:57:18 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service IISADMIN with arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}
==== End Of File ===========================
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-21 04:47:40
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Hogan1\LOCALS~1\Temp\fxdyiaow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB8ACD6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB8ACD574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB8ACDA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB8ACD14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB8ACD64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB8ACD08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB8ACD0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB8ACD76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB8ACD72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB8ACD8AE]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[556] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[556] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- EOF - GMER 1.0.15 ----
@km2357,
I have a few questions and hope you can provide some enlightenment.
1. As regards to "disable script blocker" I did not do anything specific other than disabling Avast on-access protection and Spybot tea-timer. Additionally, dds.scr ran successfully. Is there any potential problem here? Does Windows xp have a script blocker that I should also disable?
2. What is the difference between copy-pasting attach.txt and attaching attach.zip in a post?
Thnx and best regards.
1. As regards to "disable script blocker" I did not do anything specific other than disabling Avast on-access protection and Spybot tea-timer. Additionally, dds.scr ran successfully. Is there any potential problem here? Does Windows xp have a script blocker that I should also disable?
You disabled exactly what you needed to disable before you ran DDS. So, no potential problems. :) And as far as I'm aware XP does not have a built in script blocker.
2. What is the difference between copy-pasting attach.txt and attaching attach.zip in a post?
With copy-pasting attach.txt you put the contents of it right on the screen for me to read through. If you had attached the attach.zip file to the post, then I would have to download the attach.zip file, unzip it and then open it in Notepad. Posting the attach.txt log instead of attaching the zip file makes it easier (and quicker) for me to read and look through.
Step # 1: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.
Thanks for the above explanation. I am surprised that my computer does not already has the Recovery Console installed. I have set more than a few Retore points in the past and even restored the computer to an earlier date. Does this mean that Restore and Recovery are 2 different applications?
I am sorry to digress, but I am also taking this opportunity to learn first hand from a professional.
Below is the intimidating comboFix.txt log as per your instruction.
ComboFix 09-10-01.01 - Hogan1 10/21/2009 14:20.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.347 [GMT 8:00]
Running from: c:\documents and settings\Hogan1\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091020-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-1544740464-1147832462-2697151483-500
c:\recycler\S-1-5-21-1544740464-1147832462-2697151483-500\desktop.ini
c:\recycler\S-1-5-21-1544740464-1147832462-2697151483-500\INFO2
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\Cache
.
((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.
2009-10-19 07:48 . 2009-10-19 07:56 -------- d-----w- c:\program files\ERUNT
2009-10-03 05:49 . 2009-10-03 05:49 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-02 22:01 . 2009-10-02 22:02 -------- d-----w- c:\documents and settings\Hogan1\Application Data\FileZilla
2009-10-02 21:57 . 2009-10-02 21:57 -------- d-----w- c:\program files\JRE
2009-10-02 21:57 . 2009-10-02 21:57 -------- d-----w- c:\program files\OpenOffice.org 3
2009-10-02 20:07 . 2009-10-02 20:07 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-02 19:00 . 2009-10-01 02:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-02 18:08 . 2009-10-02 18:08 -------- d-----w- c:\program files\Secunia
2009-09-29 07:35 . 2004-08-04 13:00 13894 ----a-w- c:\windows\system32\dllcache\zonelibm.dll
2009-09-29 07:35 . 2004-08-04 13:00 4677 ----a-w- c:\windows\system32\dllcache\zeeverm.dll
2009-09-29 07:35 . 2004-08-04 13:00 41029 ----a-w- c:\windows\system32\dllcache\zcorem.dll
2009-09-29 07:35 . 2004-08-04 13:00 29760 ----a-w- c:\windows\system32\dllcache\znetm.dll
2009-09-29 07:35 . 2004-08-04 13:00 113222 ----a-w- c:\windows\system32\dllcache\zoneclim.dll
2009-09-29 07:33 . 2001-08-17 04:12 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2009-09-29 07:32 . 2001-08-17 05:49 24576 ----a-w- c:\windows\system32\dllcache\viairda.sys
2009-09-29 07:31 . 2001-08-17 05:58 22912 ----a-w- c:\windows\system32\dllcache\umaxpcls.sys
2009-09-29 07:30 . 2001-08-17 05:51 4992 ----a-w- c:\windows\system32\dllcache\toside.sys
2009-09-29 07:29 . 2001-08-17 06:02 3968 ----a-w- c:\windows\system32\dllcache\swusbflt.sys
2009-09-29 07:28 . 2001-08-17 04:51 37040 ----a-w- c:\windows\system32\dllcache\sonypi.sys
2009-09-29 07:27 . 2008-04-13 18:46 11136 ----a-w- c:\windows\system32\dllcache\slip.sys
2009-09-29 07:26 . 2001-08-17 05:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2009-09-29 07:25 . 2001-08-17 04:50 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2009-09-29 07:24 . 2001-08-17 05:28 899146 ----a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2009-09-29 07:23 . 2001-08-17 05:53 17792 ----a-w- c:\windows\system32\dllcache\ppa.sys
2009-09-29 07:22 . 2001-08-17 04:12 26153 ----a-w- c:\windows\system32\dllcache\pcmlm56.sys
2009-09-29 07:21 . 2001-08-17 14:36 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2009-09-29 07:20 . 2001-08-17 06:56 35392 ----a-w- c:\windows\system32\dllcache\n9i128.dll
2009-09-29 07:19 . 2001-08-17 05:52 17280 ----a-w- c:\windows\system32\dllcache\mraid35x.sys
2009-09-29 07:18 . 2001-08-17 05:28 802683 ----a-w- c:\windows\system32\dllcache\ltsm.sys
2009-09-29 07:17 . 2001-08-17 06:55 6144 ----a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-09-29 07:16 . 2001-08-17 14:36 26624 ----a-w- c:\windows\system32\dllcache\icam3ext.dll
2009-09-29 07:15 . 2001-08-17 14:36 19456 ----a-w- c:\windows\system32\dllcache\hr1w.dll
2009-09-29 07:14 . 2001-08-17 04:49 320384 ----a-w- c:\windows\system32\dllcache\g200m.sys
2009-09-29 07:13 . 2004-08-03 14:32 137088 ----a-w- c:\windows\system32\dllcache\essm2e.sys
2009-09-29 07:12 . 2001-08-17 04:12 50719 ----a-w- c:\windows\system32\dllcache\e1000nt5.sys
2009-09-29 07:11 . 2001-08-17 04:12 63208 ----a-w- c:\windows\system32\dllcache\dc21x4.sys
2009-09-29 07:10 . 2001-08-17 04:13 22044 ----a-w- c:\windows\system32\dllcache\cem33n5.sys
2009-09-29 07:09 . 2004-08-04 13:00 82501 ----a-w- c:\windows\system32\dllcache\bckg.dll
2009-09-29 07:08 . 2001-08-17 06:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-09-29 06:18 . 2009-10-18 00:39 -------- d-----w- c:\documents and settings\Hogan1\Local Settings\Application Data\Temp
2009-09-27 12:18 . 2009-06-10 22:22 32768 ----a-w- c:\windows\system32\CleanMem.exe
2009-09-27 12:18 . 2009-09-27 12:18 -------- d-----w- c:\windows\CleanMem
2009-09-27 12:18 . 2009-09-27 12:18 -------- d-----w- c:\program files\CleanMem
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 19:20 . 2006-08-10 05:00 -------- d-----w- c:\documents and settings\Hogan1\Application Data\Free Download Manager
2009-10-18 11:42 . 2006-07-13 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-18 09:10 . 2008-04-07 01:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-03 06:11 . 2006-07-04 16:12 -------- d-----w- c:\program files\Java
2009-10-03 05:49 . 2006-09-13 09:29 -------- d-----w- c:\program files\Common Files\Real
2009-10-02 22:36 . 2006-07-12 15:56 32536 ----a-w- c:\documents and settings\Hogan1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-02 22:22 . 2006-08-24 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2009-10-02 21:56 . 2008-12-16 13:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-02 21:39 . 2006-07-14 03:23 -------- d-----w- c:\documents and settings\Hogan1\Application Data\OpenOffice.org2
2009-10-02 20:09 . 2007-04-18 10:33 -------- d-----w- c:\program files\FileZilla
2009-09-29 05:47 . 2006-07-21 07:51 -------- d-----w- c:\program files\Opera
2009-09-29 05:45 . 2008-12-06 13:56 -------- d-----w- c:\program files\Opera 10 Preview
2009-09-16 04:24 . 2006-12-20 08:24 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-15 10:59 . 2006-07-13 04:29 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-15 10:56 . 2006-07-13 04:29 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-15 10:56 . 2006-07-13 04:29 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-15 10:55 . 2008-04-02 06:28 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-15 10:55 . 2008-04-02 06:28 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-15 10:54 . 2006-07-13 04:29 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-15 10:54 . 2006-07-13 04:29 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-15 10:53 . 2006-07-13 04:29 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-15 10:53 . 2006-07-13 04:29 97480 ----a-w- c:\windows\system32\AVASTSS.scr
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-23 14:08 . 2006-08-10 04:37 -------- d-----w- c:\program files\Free Download Manager
2009-08-06 11:24 . 2004-08-04 08:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 11:24 . 2004-08-04 08:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 11:24 . 2005-05-25 20:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 11:24 . 2004-08-04 08:00 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 11:24 . 2004-08-04 08:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 11:24 . 2004-08-04 08:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 11:23 . 2004-08-04 08:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 11:23 . 2006-12-17 17:40 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 11:23 . 2005-05-25 20:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 11:23 . 2004-08-04 08:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:20 . 2004-08-04 08:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 12:44 . 2004-08-04 08:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue Quick Access"="c:\program files\Uniblue\ProcessLibrary\qaccess.exe" [2006-09-14 225280]
"RestoreDesktop"="c:\program files\Restore Desktop\RestoreDesktop.exe" [2003-03-11 45056]
"Google Update"="c:\documents and settings\Hogan1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-29 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-09 339968]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-02-04 1695744]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-03 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-02 149280]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2007-1-9 41041]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/2/2008 2:28 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/2/2008 2:28 PM 20560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 PCAlertDriver;PCAlertDriver;\??\c:\biostools\NTGLM7X.sys --> c:\biostools\NTGLM7X.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 8:20 PM 12648]
S4 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [1/9/2007 11:17 PM 20539]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - FXDYIAOW
*Deregistered* - fxdyiaow
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdfe355e-22db-11dd-a59a-aefa40aca4d5}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
2009-10-21 c:\windows\Tasks\Clean System Memory.job
- c:\windows\system32\CleanMem.exe [2009-09-27 22:22]
2009-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-755137727-2013218922-164856062-1005Core.job
- c:\documents and settings\Hogan1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-29 06:18]
2009-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-755137727-2013218922-164856062-1005UA.job
- c:\documents and settings\Hogan1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-29 06:18]
2009-10-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 10:20]
2009-09-27 c:\windows\Tasks\RoxioUpdator.job
- c:\program files\Common Files\Roxio Shared\Autoupdater\autoupdater.exe [2005-02-04 01:05]
2009-10-21 c:\windows\Tasks\User_Feed_Synchronization-{B50F4C7C-5304-4EA4-831B-0DC62F49254E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: live.com\help
Trusted Zone: live.com\onecare
Trusted Zone: live.com\safety
FF - ProfilePath - c:\documents and settings\Hogan1\Application Data\Mozilla\Firefox\Profiles\slshlhev.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Hogan1\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-KB913433 - c:\windows\system32\MacroMed\Flash\genuinst.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 14:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\TEMP\TMP000000583F5B230767B0E973 524288 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-755137727-2013218922-164856062-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(512)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-21 14:22
ComboFix-quarantined-files.txt 2009-10-21 06:22
Pre-Run: 62,653,337,600 bytes free
Post-Run: 62,647,607,296 bytes free
227 --- E O F --- 2009-10-19 13:52
@km2357,
FYI the Windows Recovery Console is still not installed yet. This probably happened because I disabled the Local Area Connection, AV, firewall and Spybot before starting comboFix. First me, and then comboFix, could not connect to the internet. So the Recovery Console installation did not happen but the scan proceeded nonetheless.
As I only have the Windows xp Recovery Disc but not the xp disc, I might have to find some way to install the Recovery Console. I hope my floppy disk drive still works ( Microsoft says I need six of these ). Rightfully it should work because it has not done any work since it was new. By the same reasoning, it may now refuse to work.
Just for your information, in case its important.
Is it possible to keep the internet connection alive and rerun comboFix and let it try to install the Recovery Console and of course do a cursory scan again? :sad:
@km2357,
After going over the comboFix tutorial at the link you provided me, I have noted how to install the Windows Recovery Console by downloading and then dragging the Windows...BootDisk-Enu.exe file onto the ComboFix.exe file. Please excuse my previous post about the absent Recovery Console.
However, I will just pause everything at this point and not install the Recovery console yet until you say so. Sorry for the unnecessary delay.
I am sorry to digress, but I am also taking this opportunity to learn first hand from a professional.
It's no problem. :)
I am surprised that my computer does not already has the Recovery Console installed. I have set more than a few Retore points in the past and even restored the computer to an earlier date. Does this mean that Restore and Recovery are 2 different applications?
Yes, System Restore and Recovery Console are two different applications. System Restore comes preinstalled on Windows and Recovery Console you have to install yourself.
Is it possible to keep the internet connection alive and rerun comboFix and let it try to install the Recovery Console and of course do a cursory scan again?
Yes, it is ok for you to have your internet connection up while running ComboFix. Doing this will allow ComboFix to download and install the Recovery Console on its own.
Regarding ComboFix, you used a really old version (09-10-01.01) of the program, that is at least 18-19 days old. I would like for you to delete ComboFix.exe off of your computer and download the latest version from one of the links below:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Be sure to save ComboFix.exe to your Desktop.
Once you've downloaded ComboFix, go ahead and run it. One the first things that'll pop-up will be ComboFix asking if you want it to download and install Recovery Console. Make sure you're connected to the Internet and then click Yes. Then let ComboFix finish its run and post back the ComboFix Log you get at the end in your next post/reply.
Regarding ComboFix, you used a really old version (09-10-01.01) of the program, that is at least 18-19 days old.
Ugghh !! . While surfing this forum THREE weeks ago I downloaded and assembled a batallion of anti-spyware in preparation for this forthcoming battle.
Sun Tsu - " A wise general makes a point knowing the enemy. "
I guess I am not a general. Its fortunate that you are a sharp fellow. You would make a good general.
The new comboFix.txt is below. Just out of curiosity, how does it compare with the old one?
ComboFix 09-10-20.03 - Hogan1 10/22/2009 11:26.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.409 [GMT 8:00]
Running from: c:\documents and settings\Hogan1\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091021-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Installer\459d329.msi
.
((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.
2009-10-21 14:56 . 2009-10-22 03:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-21 14:56 . 2005-08-25 11:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-10-21 14:56 . 2009-10-21 14:59 -------- d-----w- c:\program files\SpywareBlaster
2009-10-19 07:48 . 2009-10-19 07:56 -------- d-----w- c:\program files\ERUNT
2009-10-03 05:49 . 2009-10-03 05:49 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-02 22:01 . 2009-10-02 22:02 -------- d-----w- c:\documents and settings\Hogan1\Application Data\FileZilla
2009-10-02 21:57 . 2009-10-02 21:57 -------- d-----w- c:\program files\JRE
2009-10-02 21:57 . 2009-10-02 21:57 -------- d-----w- c:\program files\OpenOffice.org 3
2009-10-02 20:07 . 2009-10-02 20:07 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-02 19:00 . 2009-10-01 02:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-02 18:08 . 2009-10-02 18:08 -------- d-----w- c:\program files\Secunia
2009-09-29 07:35 . 2004-08-04 13:00 13894 ----a-w- c:\windows\system32\dllcache\zonelibm.dll
2009-09-29 07:35 . 2004-08-04 13:00 4677 ----a-w- c:\windows\system32\dllcache\zeeverm.dll
2009-09-29 07:35 . 2004-08-04 13:00 41029 ----a-w- c:\windows\system32\dllcache\zcorem.dll
2009-09-29 07:35 . 2004-08-04 13:00 29760 ----a-w- c:\windows\system32\dllcache\znetm.dll
2009-09-29 07:35 . 2004-08-04 13:00 113222 ----a-w- c:\windows\system32\dllcache\zoneclim.dll
2009-09-29 07:33 . 2001-08-17 04:12 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2009-09-29 07:32 . 2001-08-17 05:49 24576 ----a-w- c:\windows\system32\dllcache\viairda.sys
2009-09-29 07:31 . 2001-08-17 05:58 22912 ----a-w- c:\windows\system32\dllcache\umaxpcls.sys
2009-09-29 07:30 . 2001-08-17 05:51 4992 ----a-w- c:\windows\system32\dllcache\toside.sys
2009-09-29 07:29 . 2001-08-17 06:02 3968 ----a-w- c:\windows\system32\dllcache\swusbflt.sys
2009-09-29 07:28 . 2001-08-17 04:51 37040 ----a-w- c:\windows\system32\dllcache\sonypi.sys
2009-09-29 07:27 . 2008-04-13 18:46 11136 ----a-w- c:\windows\system32\dllcache\slip.sys
2009-09-29 07:26 . 2001-08-17 05:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2009-09-29 07:25 . 2001-08-17 04:50 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2009-09-29 07:24 . 2001-08-17 05:28 899146 ----a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2009-09-29 07:23 . 2001-08-17 05:53 17792 ----a-w- c:\windows\system32\dllcache\ppa.sys
2009-09-29 07:22 . 2001-08-17 04:12 26153 ----a-w- c:\windows\system32\dllcache\pcmlm56.sys
2009-09-29 07:21 . 2001-08-17 14:36 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2009-09-29 07:20 . 2001-08-17 06:56 35392 ----a-w- c:\windows\system32\dllcache\n9i128.dll
2009-09-29 07:19 . 2001-08-17 05:52 17280 ----a-w- c:\windows\system32\dllcache\mraid35x.sys
2009-09-29 07:18 . 2001-08-17 05:28 802683 ----a-w- c:\windows\system32\dllcache\ltsm.sys
2009-09-29 07:17 . 2001-08-17 06:55 6144 ----a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-09-29 07:16 . 2001-08-17 14:36 26624 ----a-w- c:\windows\system32\dllcache\icam3ext.dll
2009-09-29 07:15 . 2001-08-17 14:36 19456 ----a-w- c:\windows\system32\dllcache\hr1w.dll
2009-09-29 07:14 . 2001-08-17 04:49 320384 ----a-w- c:\windows\system32\dllcache\g200m.sys
2009-09-29 07:13 . 2004-08-03 14:32 137088 ----a-w- c:\windows\system32\dllcache\essm2e.sys
2009-09-29 07:12 . 2001-08-17 04:12 50719 ----a-w- c:\windows\system32\dllcache\e1000nt5.sys
2009-09-29 07:11 . 2001-08-17 04:12 63208 ----a-w- c:\windows\system32\dllcache\dc21x4.sys
2009-09-29 07:10 . 2001-08-17 04:13 22044 ----a-w- c:\windows\system32\dllcache\cem33n5.sys
2009-09-29 07:09 . 2004-08-04 13:00 82501 ----a-w- c:\windows\system32\dllcache\bckg.dll
2009-09-29 07:08 . 2001-08-17 06:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-09-29 06:18 . 2009-10-18 00:39 -------- d-----w- c:\documents and settings\Hogan1\Local Settings\Application Data\Temp
2009-09-27 12:18 . 2009-06-10 22:22 32768 ----a-w- c:\windows\system32\CleanMem.exe
2009-09-27 12:18 . 2009-09-27 12:18 -------- d-----w- c:\windows\CleanMem
2009-09-27 12:18 . 2009-09-27 12:18 -------- d-----w- c:\program files\CleanMem
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 03:18 . 2006-08-10 05:00 -------- d-----w- c:\documents and settings\Hogan1\Application Data\Free Download Manager
2009-10-18 11:42 . 2006-07-13 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-18 09:10 . 2008-04-07 01:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-03 06:11 . 2006-07-04 16:12 -------- d-----w- c:\program files\Java
2009-10-03 05:49 . 2006-09-13 09:29 -------- d-----w- c:\program files\Common Files\Real
2009-10-02 22:36 . 2006-07-12 15:56 32536 ----a-w- c:\documents and settings\Hogan1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-02 22:22 . 2006-08-24 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2009-10-02 21:56 . 2008-12-16 13:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-02 21:39 . 2006-07-14 03:23 -------- d-----w- c:\documents and settings\Hogan1\Application Data\OpenOffice.org2
2009-10-02 20:09 . 2007-04-18 10:33 -------- d-----w- c:\program files\FileZilla
2009-09-29 05:47 . 2006-07-21 07:51 -------- d-----w- c:\program files\Opera
2009-09-29 05:45 . 2008-12-06 13:56 -------- d-----w- c:\program files\Opera 10 Preview
2009-09-16 04:24 . 2006-12-20 08:24 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-15 10:59 . 2006-07-13 04:29 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-15 10:56 . 2006-07-13 04:29 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-15 10:56 . 2006-07-13 04:29 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-15 10:55 . 2008-04-02 06:28 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-15 10:55 . 2008-04-02 06:28 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-15 10:54 . 2006-07-13 04:29 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-15 10:54 . 2006-07-13 04:29 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-15 10:53 . 2006-07-13 04:29 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-15 10:53 . 2006-07-13 04:29 97480 ----a-w- c:\windows\system32\AVASTSS.scr
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-23 14:08 . 2006-08-10 04:37 -------- d-----w- c:\program files\Free Download Manager
2009-08-06 11:24 . 2004-08-04 08:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 11:24 . 2004-08-04 08:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 11:24 . 2005-05-25 20:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 11:24 . 2004-08-04 08:00 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 11:24 . 2004-08-04 08:00 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 11:24 . 2004-08-04 08:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 11:23 . 2004-08-04 08:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 11:23 . 2006-12-17 17:40 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 11:23 . 2005-05-25 20:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 11:23 . 2004-08-04 08:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:20 . 2004-08-04 08:00 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 12:44 . 2004-08-04 08:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-10-21_06.20.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-21 06:30 . 2009-10-21 06:30 16384 c:\windows\Temp\Perflib_Perfdata_448.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue Quick Access"="c:\program files\Uniblue\ProcessLibrary\qaccess.exe" [2006-09-14 225280]
"RestoreDesktop"="c:\program files\Restore Desktop\RestoreDesktop.exe" [2003-03-11 45056]
"Google Update"="c:\documents and settings\Hogan1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-29 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-09 339968]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-02-04 1695744]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-03 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-02 149280]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2007-1-9 41041]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/2/2008 2:28 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/2/2008 2:28 PM 20560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 PCAlertDriver;PCAlertDriver;\??\c:\biostools\NTGLM7X.sys --> c:\biostools\NTGLM7X.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 8:20 PM 12648]
S4 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [1/9/2007 11:17 PM 20539]
.
Contents of the 'Scheduled Tasks' folder
2009-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
2009-10-21 c:\windows\Tasks\Clean System Memory.job
- c:\windows\system32\CleanMem.exe [2009-09-27 22:22]
2009-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-755137727-2013218922-164856062-1005Core.job
- c:\documents and settings\Hogan1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-29 06:18]
2009-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-755137727-2013218922-164856062-1005UA.job
- c:\documents and settings\Hogan1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-29 06:18]
2009-10-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 10:20]
2009-09-27 c:\windows\Tasks\RoxioUpdator.job
- c:\program files\Common Files\Roxio Shared\Autoupdater\autoupdater.exe [2005-02-04 01:05]
2009-10-22 c:\windows\Tasks\User_Feed_Synchronization-{B50F4C7C-5304-4EA4-831B-0DC62F49254E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: live.com\help
Trusted Zone: live.com\onecare
Trusted Zone: live.com\safety
FF - ProfilePath - c:\documents and settings\Hogan1\Application Data\Mozilla\Firefox\Profiles\slshlhev.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Hogan1\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 11:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-755137727-2013218922-164856062-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(444)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-22 11:31
ComboFix-quarantined-files.txt 2009-10-22 03:31
Pre-Run: 62,653,919,232 bytes free
Post-Run: 62,616,649,728 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - D6447CD82C8B2F28B595121E95C2614D
The new comboFix.txt is below. Just out of curiosity, how does it compare with the old one?
Not too much difference between this one and the old one. You'll notice that the Other Deletions section in the new log has a file that wasn't in the old log's Other Deletions. Meaning that the new ComboFix has a more thorough database, which means more it can catch and delete more bad files, folders, registry entries, etc than the 09-10-01.01 version you were using. :)
Step # 1: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Step # 2 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Post the MalwareBytes' Log in your next post/reply.
BTW, thanks for patiently guiding me the last 3 days. Your instructions have been very unambiguous and easy to follow by a non-expert computer user.
1. I have just ran ATF Cleaner successfully.
2. MBAM also ran successfully. There is only a very minor technicality. After the scan is complete, I was looking for a "Show Result" button but there is no "Show Result" button to click. The results automatically opened. Other than this, everything turns out exactly like you said.
3. What do you think is going on in my computer so far? Everything seems to be working fine at present, at least from what I can see. I just wonder whether it is spying on me !
4. The MBAM log you requested is below.
Malwarebytes' Anti-Malware 1.41
Database version: 3015
Windows 5.1.2600 Service Pack 3
10/23/2009 11:16:15 AM
mbam-log-2009-10-23 (11-16-15).txt
Scan type: Quick Scan
Objects scanned: 147185
Time elapsed: 3 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
3. What do you think is going on in my computer so far? Everything seems to be working fine at present, at least from what I can see. I just wonder whether it is spying on me !
Looking through your ComboFix Logs, I found that these files that it removed:
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
They are related to a keylogger called Probot SE. I didn't see Probot SE in the uninstall list in the attach.txt (from DDS) that you posted earlier. Did you download this program knowingly in the past and later uninstall it before you came here for help?
I'd like for you to do a scan with Spybot (be sure to update it first) and let me know if it comes up clean or finds Virtumonde/anything else.
Step # 1: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Answers regarding Probot SE and the Spybot scan
2. The Kaspersky Log
3. A fresh DDS Log
4. How is your computer doing, any problems?
1. Probot SE
I have no recollection at all about this program called Probot SE. I have been thinking about this Probot SE for 3 hours, but couldn't recall anything about it. The only problem here is that I like to play and learn simple applications like jquery, php , firefox addons, etc. Probot SE could fall into this category as well. :confused:
I would say that I did not install it with 90% certainty and 10% uncertainty.
Is it possible to find out the details of installation, occurances, uninstallation, etc of Probot SE from the system logs ?
2. I have just updated Spybot and ran it. It did not detect Virtumonde or other malware, only some cookies and other stuff it considers not so harmful.
As the Spybot report is very long, I will only relay below the critical cookies it found. I have attached the full Spybot report in spybotsdReport20091024.zip.
--- Report generated: 2009-10-24 11:33 ---
MediaPlex: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
MediaPlex: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
MediaPlex: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
DoubleClick: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
Zedo: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
Zedo: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
Zedo: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
Zedo: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
Zedo: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
Zedo: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
HitBox: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
HitBox: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
HitBox: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
HitBox: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
Statcounter: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: Hogan1 (default)) (Cookie, fixed)
DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)
Common Dialogs: History (163 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
Log: Activity: COM+.log (Backup file, nothing done)
C:\WINDOWS\COM+.log
Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt
Log: Activity: imsins.log (Backup file, nothing done)
C:\WINDOWS\imsins.log
# Note - I have truncated the rest of the long report #
# Please see the attached zip file for the complete result list. #
1. The Kapersky Online Scan results is below.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, October 24, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, October 24, 2009 02:53:01
Records in database: 3053911
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
Scan statistics:
Objects scanned: 96142
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:29:01
No threats found. Scanned area is clean.
Selected area has been scanned.
=========================================================
2. The new DDS.txt is below.
DDS (Ver_09-10-13.01) - NTFSx86
Run by Hogan1 at 17:21:30.68 on Sat 10/24/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.435 [GMT 8:00]
AV: avast! antivirus 4.8.1356 [VPS 091023-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Hogan1\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Hogan1\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
BHO: SpywareBlock Class: {0a87e45f-537a-40b4-b812-e2544c21a09f} - c:\program files\spycatcher\SCActiveBlock.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [Uniblue Quick Access] "c:\program files\uniblue\processlibrary\qaccess.exe" /startup
uRun: [RestoreDesktop] c:\program files\restore desktop\RestoreDesktop.exe
uRun: [Google Update] "c:\documents and settings\hogan1\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
Trusted Zone: live.com\help
Trusted Zone: live.com\onecare
Trusted Zone: live.com\safety
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\hogan1\applic~1\mozilla\firefox\profiles\slshlhev.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\hogan1\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-2 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-2 20560]
S3 PCAlertDriver;PCAlertDriver;\??\c:\biostools\ntglm7x.sys --> c:\biostools\NTGLM7X.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S4 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2007-1-9 20539]
=============== Created Last 30 ================
2009-10-23 11:08 <DIR> --d----- c:\docume~1\hogan1\applic~1\Malwarebytes
2009-10-23 11:07 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-23 11:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-23 11:07 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-23 11:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-22 11:24 <DIR> a-dshr-- C:\cmdcons
2009-10-22 11:22 <DIR> --d----- C:\ComboFix
2009-10-21 22:56 1,071,088 a------- c:\windows\system32\MSCOMCTL.OCX
2009-10-21 22:56 118,784 a------- c:\windows\system32\MSSTDFMT.DLL
2009-10-21 22:56 <DIR> --d----- c:\program files\SpywareBlaster
2009-10-21 14:15 236,544 a------- c:\windows\PEV.exe
2009-10-21 14:15 161,792 a------- c:\windows\SWREG.exe
2009-10-21 14:15 98,816 a------- c:\windows\sed.exe
2009-10-03 13:49 <DIR> --d----- c:\program files\common files\xing shared
2009-10-03 05:57 <DIR> --d----- c:\program files\JRE
2009-10-03 05:57 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-10-03 03:00 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-03 02:08 <DIR> --d----- c:\program files\Secunia
2009-09-29 15:35 13,894 a------- c:\windows\system32\dllcache\zonelibm.dll
2009-09-29 15:35 113,222 a------- c:\windows\system32\dllcache\zoneclim.dll
2009-09-29 15:35 41,029 a------- c:\windows\system32\dllcache\zcorem.dll
2009-09-29 15:35 29,760 a------- c:\windows\system32\dllcache\znetm.dll
2009-09-29 15:35 4,677 a------- c:\windows\system32\dllcache\zeeverm.dll
2009-09-29 15:33 34,890 a------- c:\windows\system32\dllcache\wlandrv2.sys
2009-09-29 15:32 24,576 a------- c:\windows\system32\dllcache\viairda.sys
2009-09-29 15:31 22,912 a------- c:\windows\system32\dllcache\umaxpcls.sys
2009-09-29 15:30 4,992 a------- c:\windows\system32\dllcache\toside.sys
2009-09-29 15:29 3,968 a------- c:\windows\system32\dllcache\swusbflt.sys
2009-09-29 15:28 37,040 a------- c:\windows\system32\dllcache\sonypi.sys
2009-09-29 15:27 11,136 a------- c:\windows\system32\dllcache\slip.sys
2009-09-29 15:26 6,784 a------- c:\windows\system32\dllcache\serscan.sys
2009-09-29 15:25 41,216 a------- c:\windows\system32\dllcache\s3mt3d.sys
2009-09-29 15:24 899,146 a------- c:\windows\system32\dllcache\r2mdkxga.sys
2009-09-29 15:23 17,792 a------- c:\windows\system32\dllcache\ppa.sys
2009-09-29 15:22 26,153 a------- c:\windows\system32\dllcache\pcmlm56.sys
2009-09-29 15:21 123,776 a------- c:\windows\system32\dllcache\nv3.dll
2009-09-29 15:20 35,392 a------- c:\windows\system32\dllcache\n9i128.dll
2009-09-29 15:19 17,280 a------- c:\windows\system32\dllcache\mraid35x.sys
2009-09-29 15:18 802,683 a------- c:\windows\system32\dllcache\ltsm.sys
2009-09-29 15:17 6,144 a------- c:\windows\system32\dllcache\kbd101b.dll
2009-09-29 15:16 26,624 a------- c:\windows\system32\dllcache\icam3ext.dll
2009-09-29 15:15 19,456 a------- c:\windows\system32\dllcache\hr1w.dll
2009-09-29 15:14 320,384 a------- c:\windows\system32\dllcache\g200m.sys
2009-09-29 15:13 137,088 a------- c:\windows\system32\dllcache\essm2e.sys
2009-09-29 15:12 50,719 a------- c:\windows\system32\dllcache\e1000nt5.sys
2009-09-29 15:11 63,208 a------- c:\windows\system32\dllcache\dc21x4.sys
2009-09-29 15:10 22,044 a------- c:\windows\system32\dllcache\cem33n5.sys
2009-09-29 15:09 1,817,687 a------- c:\windows\system32\dllcache\bckgres.dll
2009-09-29 15:08 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll
2009-09-27 20:18 32,768 a------- c:\windows\system32\CleanMem.exe
2009-09-27 20:18 <DIR> --d----- c:\windows\CleanMem
2009-09-27 20:18 <DIR> --d----- c:\program files\CleanMem
==================== Find3M ====================
2009-10-03 05:56 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-11 22:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 22:18 136,192 a------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-05 05:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-05 05:03 58,880 a------- c:\windows\system32\dllcache\msasn1.dll
2009-08-26 16:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 16:00 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 17:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 17:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 23:13 2,145,280 a------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 22:20 2,023,936 a------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 22:20 2,066,048 a------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-04 22:20 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 20:44 2,189,184 a------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\ntoskrnl.exe
2008-08-27 14:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat
============= FINISH: 17:22:06.10 ===============
3. The ATTACH.txt is below.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-10-13.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/11/2006 11:54:07 AM
System Uptime: 10/22/2009 8:58:16 PM (45 hours ago)
Motherboard: MSI | | 09AC
Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 939 | 1994/199mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 58.217 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel DLS Synthesizer
Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Manufacturer: Microsoft
Name: Microsoft Kernel DLS Synthesizer
PNP Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Service: DMusic
==== System Restore Points ===================
RP900: 7/24/2009 7:42:58 AM - Software Distribution Service 3.0
RP901: 7/25/2009 5:53:14 PM - System Checkpoint
RP902: 7/26/2009 11:59:44 PM - System Checkpoint
RP903: 7/28/2009 8:27:44 AM - Software Distribution Service 3.0
RP904: 7/29/2009 1:02:39 PM - System Checkpoint
RP905: 7/30/2009 7:25:01 AM - Software Distribution Service 3.0
RP906: 7/31/2009 7:40:02 AM - System Checkpoint
RP907: 7/31/2009 11:23:35 AM - Software Distribution Service 3.0
RP908: 8/1/2009 11:41:10 AM - System Checkpoint
RP909: 8/2/2009 12:23:15 PM - System Checkpoint
RP910: 8/3/2009 12:58:09 PM - System Checkpoint
RP911: 8/4/2009 12:11:02 PM - Software Distribution Service 3.0
RP912: 8/5/2009 1:00:31 PM - System Checkpoint
RP913: 8/6/2009 2:15:50 PM - System Checkpoint
RP914: 8/7/2009 3:15:55 PM - System Checkpoint
RP915: 8/7/2009 3:20:30 PM - Software Distribution Service 3.0
RP916: 8/8/2009 7:51:00 PM - System Checkpoint
RP917: 8/10/2009 9:47:13 AM - System Checkpoint
RP918: 8/11/2009 10:38:30 AM - Software Distribution Service 3.0
RP919: 8/12/2009 10:41:30 AM - System Checkpoint
RP920: 8/16/2009 7:30:26 AM - Software Distribution Service 3.0
RP921: 8/16/2009 7:47:35 AM - Installed Java(TM) 6 Update 15
RP922: 8/16/2009 7:54:02 AM - Windows Defender Checkpoint
RP923: 8/17/2009 8:47:36 AM - Software Distribution Service 3.0
RP924: 8/18/2009 12:15:02 PM - System Checkpoint
RP925: 8/18/2009 1:54:14 PM - Software Distribution Service 3.0
RP926: 8/20/2009 10:09:17 PM - System Checkpoint
RP927: 8/21/2009 7:13:45 AM - Software Distribution Service 3.0
RP928: 8/22/2009 9:07:46 AM - System Checkpoint
RP929: 8/23/2009 1:29:34 PM - System Checkpoint
RP930: 8/24/2009 11:58:51 PM - System Checkpoint
RP931: 8/25/2009 8:48:36 AM - Software Distribution Service 3.0
RP932: 8/26/2009 10:32:15 AM - System Checkpoint
RP933: 8/27/2009 3:00:19 AM - Software Distribution Service 3.0
RP934: 8/28/2009 8:53:27 AM - Software Distribution Service 3.0
RP935: 8/29/2009 11:04:34 AM - System Checkpoint
RP936: 8/30/2009 9:08:45 PM - System Checkpoint
RP937: 9/1/2009 7:22:40 AM - Software Distribution Service 3.0
RP938: 9/1/2009 8:16:37 AM - Software Distribution Service 3.0
RP939: 9/2/2009 9:43:39 AM - System Checkpoint
RP940: 9/13/2009 7:46:39 AM - Software Distribution Service 3.0
RP941: 9/14/2009 11:20:15 AM - Software Distribution Service 3.0
RP942: 9/15/2009 11:19:16 AM - Software Distribution Service 3.0
RP943: 9/16/2009 12:06:34 PM - System Checkpoint
RP944: 9/17/2009 3:20:25 PM - System Checkpoint
RP945: 9/18/2009 11:05:09 AM - Software Distribution Service 3.0
RP946: 9/19/2009 2:50:04 PM - System Checkpoint
RP947: 9/21/2009 12:34:09 AM - System Checkpoint
RP948: 9/22/2009 12:36:01 AM - Software Distribution Service 3.0
RP949: 9/23/2009 5:18:18 PM - System Checkpoint
RP950: 9/24/2009 5:29:30 PM - System Checkpoint
RP951: 9/25/2009 8:34:50 AM - Software Distribution Service 3.0
RP952: 9/26/2009 11:06:01 AM - Software Distribution Service 3.0
RP953: 9/27/2009 12:48:47 PM - System Checkpoint
RP954: 9/28/2009 1:28:14 PM - System Checkpoint
RP955: 9/29/2009 11:22:55 AM - Software Distribution Service 3.0
RP956: 9/29/2009 1:45:09 PM - Removed Opera 10.00
RP957: 9/29/2009 1:46:55 PM - Installed Opera 10.00.
RP958: 9/30/2009 2:59:59 PM - Software Distribution Service 3.0
RP959: 9/30/2009 9:58:24 PM - restorePoint20090930
RP960: 10/1/2009 9:59:13 PM - System Checkpoint
RP961: 10/3/2009 2:34:08 AM - System Checkpoint
RP962: 10/3/2009 3:00:24 AM - Software Distribution Service 3.0
RP963: 10/3/2009 5:41:36 AM - Removed OpenOffice.org 2.1
RP964: 10/3/2009 5:55:50 AM - Removed Java(TM) 6 Update 11
RP965: 10/3/2009 5:56:25 AM - Installed Java(TM) 6 Update 16
RP966: 10/3/2009 5:57:12 AM - Installed OpenOffice.org 3.1
RP967: 10/3/2009 6:33:00 AM - Installed Retrospect 6.5
RP968: 10/3/2009 2:09:29 PM - Removed Java(TM) 6 Update 3
RP969: 10/3/2009 2:10:15 PM - Removed Java(TM) 6 Update 5
RP970: 10/3/2009 2:10:48 PM - Removed Java(TM) 6 Update 7
RP971: 10/18/2009 8:23:08 AM - Software Distribution Service 3.0
RP972: 10/18/2009 10:57:18 AM - Software Distribution Service 3.0
RP973: 10/19/2009 11:19:06 AM - System Checkpoint
RP974: 10/19/2009 9:51:46 PM - Software Distribution Service 3.0
RP975: 10/21/2009 8:37:39 AM - System Checkpoint
==== Installed Programs ======================
7-Zip 4.64
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apache HTTP Server 2.2.4
Apple Software Update
Athlon 64 Processor Driver
ATI Control Panel
ATI Display Driver
avast! Antivirus
Broadcom Management Programs
CamStudio
Canon MP Navigator 3.0
Canon MP160
CleanMem
Critical Update for Windows Media Player 11 (KB959772)
EasyCleaner
ERUNT 1.1j
FastSum 1.5 Standard Edition and FastSum 1.9 Command-Line Editi
FileZilla Client 3.2.7.1
Free Download Manager 2.0
Google Chrome
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP Help and Support
HP Safety and Comfort Guide
ImageMagick 6.5.1-8 Q16 (2009-05-01)
InterVideo WinDVD
Java(TM) 6 Update 16
LightScribe 1.4.84.1
Macromedia Dreamweaver 8
Macromedia Extension Manager
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.5.3)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MySQL Server 5.0
OpenOffice.org 3.1
Opera 10.00
QuickTime
RealPlayer
Restore Desktop (remove only)
Retrospect 6.5
Roxio Easy Media Creator 7 Basic Edition
Ruby-186-26
Secunia PSI
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Serif PhotoPlus 6.0
Software Setup
Spybot - Search & Destroy
SpywareBlaster 4.2
Sumatra PDF reader
Uniblue Quick Access
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
==== Event Viewer Messages From Past Week ========
10/23/2009 10:45:31 AM, error: Print [6161] - The document Untitled - Notepad owned by Hogan1 failed to print on printer Canon MP160 Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 6308. Number of bytes printed: 3492. Total number of pages in the document: 2. Number of pages printed: 0. Client machine: \\HP29702232471. Win32 error code returned by the print processor: 13 (0xd).
10/21/2009 2:30:20 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
10/21/2009 2:20:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
10/21/2009 2:16:57 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/19/2009 9:51:46 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service IISADMIN with arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}
10/19/2009 7:28:47 PM, error: ati2mtag [45062] - CRT invalid display type
==== End Of File ===========================
My computer is running very well, thanks to you. I have a few queries which I hope you can enlighten.
1. I have seen some fragments of AVG and Lightscribe details in some of the reports that we have generated. These programs have been uninstalled long ago. I have also used ( only very rarely but without problems ) a registry cleaner called Easy Cleaner to clean up things a bit. What should I do about these fragments of AVG, Lightscribe and possibly many others that I am not aware of ?
2. Can the system logs reveal more information about Probot SE installations, occurances, uninstallation, etc and how do I go about finding it ?
Both the Kaspersky and DDS Logs look good. :)
1. Probot SE
I have no recollection at all about this program called Probot SE. I have been thinking about this Probot SE for 3 hours, but couldn't recall anything about it. The only problem here is that I like to play and learn simple applications like jquery, php , firefox addons, etc. Probot SE could fall into this category as well.
I would say that I did not install it with 90% certainty and 10% uncertainty.
Is it possible to find out the details of installation, occurances, uninstallation, etc of Probot SE from the system logs ?
Does anyone else use the computer besides you? Its possible that they could have installed/uninstalled it without your knowledge. It is also possible that Probot could have been bundled with something else you downloaded/installed. Since Probot is a keylogger and you more certain than uncertain that you didn't install it, as a precaution I would go ahead and change your passwords on the computer.
The only signs of Probot I saw on your computer were from the files that ComboFix deleted. You can try searching your computer for any folders that are named "Probot" or "Probot SE"
Let's also do a registry search for any instances of Probot:
Run Registry Search by Bobbi Flekman
Download Bobbi Flekman's RegSearch from
http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip
Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.
Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:
probot
On the next line type probot se
then hit Ok
After completion Notepad will be opened with all the found instances of the strings. The resulting file is saved in the same location as RegSearch.exe.
Post the results of RegSearch.txt.
I have seen some fragments of AVG and Lightscribe details in some of the reports that we have generated. These programs have been uninstalled long ago. I have also used ( only very rarely but without problems ) a registry cleaner called Easy Cleaner to clean up things a bit. What should I do about these fragments of AVG, Lightscribe and possibly many others that I am not aware of ?
I looked through your most recent attach.txt and saw this:
LightScribe 1.4.84.1
If you don't need/use LightScribe anymore, go to Add/Remove Programs and uninstall it, making sure to reboot your computer afterwards.
As for AVG, ComboFix got rid of some of their orphaned registry entries, there are a few more we can get rid of now:
Step # 1: Download and run ERUNT
You will be downloading ERUNT, a registry backup tool.
For version with the Installer (http://aumha.org/downloads/erunt-setup.exe):
Use the setup program to install ERUNT on your computer
For the zipped version (http://aumha.org/downloads/erunt.zip):
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.
Note:to restore your registry, go to the folder and start ERDNT.exe
Open Notepad!
Copy and Paste everything from the Quote box into Notepad:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Go to File > Save As
Save File name as Fix.reg
Change Save as Type to All Files and save the file to your desktop.
Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.
Finally, for Easy Cleaner, my suggestion is this:
Registry Cleaners
Re. Easy Cleaner
I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners:
Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems. The point we are trying to make is that the risk of using one far outweighs any benefit. If it does work perfectly you will not see any difference. If it doesn't work properly you may end up with an expensive doorstop.
http://forums.whatthetech.com/Regcleaner_t42862.html
I recommend that you uninstall Easy Cleaner from your computer.
In your next post/reply, I need to see the following:
1. Did you find any probot or probot se folders?
2. Post the contents of RegSearch.txt
Does anyone else use the computer besides you?
We are a very small family. It's only the very rare mischievous friend or visitor that could pose a worry. I have a new password now.:)
The only signs of Probot I saw on your computer were from the files that ComboFix deleted. You can try searching your computer for any folders that are named "Probot" or "Probot SE"
I have searched all files and folders for -
- *probot* ( None was found )
- *a*k3book* ( 2 are in ComboFix quarantine )
- *ans2000* ( 1 is in ComboFix quarantine )
- "lightscribe* ( None was found )
Registry Search by Bobbi Flekman
The RegSearch.txt for Probot and Probot SE is below.
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0
; Results at 10/25/2009 1:17:35 PM for strings:
; 'probot'
; 'probot se'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_USERS\S-1-5-21-755137727-2013218922-164856062-1005\Software\Microsoft\Search Assistant\ACMru\5603]
"002"="*probot*"
; End Of The Log...
I looked through your most recent attach.txt and saw this:
LightScribe 1.4.84.1
If you don't need/use LightScribe anymore, go to Add/Remove Programs and uninstall it, making sure to reboot your computer afterwards.
This Lightscribe is another pesky remnant. It does not appear at all in Add/Remove Programs nor in a search for files/folders.
I ran the RegSearch of Bobbi Flekman for "Lightscribe". Surprisingly, the search result is quite long. Perhaps the word "lightscribe" is also used in other ways. The RegSearch.txt is quite long (112 kB) with many long numbers. Rather than annoying you and others, I have attached RegSearchLightscribe.zip .
ERUNT and REGEDIT4
I have just run ERUNT and REGEDIT4, taking note of 'no empty space' , 'one empty line' , and reboot.
Easy Cleaner - Registry Cleaner
Yeh, I have seen many pros and cons about this topic. Its something like the ckicken and egg - who is first. Since this is coming from you first hand, unlike just reading about it somewhere, I will gladly uninstall Easy Cleaner.
Other Queries
1. In what way is ERUNT better than the Windows inbuilt registry backup ?
2. In the Attach.txt, there are many security updates for IE7. I no longer use IE7 but I can STILL see it in files and folders, after upgrading to IE8. I understand you might not be a MS employee with privileged information. Can these IE7 security updates be removed ?
[HKEY_USERS\S-1-5-21-755137727-2013218922-164856062-1005\Software\Microsoft\Search Assistant\ACMru\5603]
"002"="*probot*"
All the registry value is showing that you recently searched for "probot" within Windows. So, its nothing to worry about. :)
1. In what way is ERUNT better than the Windows inbuilt registry backup ?
Not too much of a difference between the two. ERUNT backup your registry automattically when you run it, so you don't have to worry about using regedit and messing up the backup process manually. It's an ease of use thing. :)
In the Attach.txt, there are many security updates for IE7. I no longer use IE7 but I can STILL see it in files and folders, after upgrading to IE8. I understand you might not be a MS employee with privileged information. Can these IE7 security updates be removed ?
There shouldn't be any harm in removing them, but I would keep them on your computer, just in case. Something may happen to IE 8 and you'll have to rollback to IE 7 and if that happens, you want those IE7 security updates there.
Below will be a big regfix to help clear out the lightscribe junk on your computer. Be sure to back up your registry with ERUNT first before running the regfix:
Step # 1: Run a Regfix
Open Notepad!
Copy and Paste everything from the Quote box into Notepad:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\3105F253CD70D644D86B833F9380C606]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3105F253CD70D644D86B833F9380C606]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3105F253CD70D644D86B833F9380C606\SourceList\Net]
[-HKEY_LOCAL_MACHINE\SOFTWARE\LightScribe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\Common Files\\LightScribe\\res\\"=-
"C:\\Program Files\\Common Files\\LightScribe\\"=-
"C:\\Program Files\\Common Files\\LightScribe\\Content\\"=-
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\LightScribe Direct Disc Labeling\\"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\05284D7060C9594478999421E4CE5DDE]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\06FD517F5DA336E4592DC562D5207AF2]
"00000000000000000000000000000000"="-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFD34DD011FD24409CE1CFC18349CA2]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FEFA84100325094EBDEE207A74F0F4A]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\14AD1805088519349872E0C7723D23CC]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\170EE4A9945C6A545A7CE66104D3CD0F]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1E257D9C979EBCB47814F8A86C249648]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\24138D77FDBB0C44CB8502F2AFD613F1]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\362B05EF3375BBB459D65B77695419B2]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3F7CA3C6417B51E45957A18134DCB9C1]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\404200868E481DE42AFD938608663874]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\42E54FE87DD886D48AFEFF1E53FFB565]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\43730CFA61AC2784DBDD33ED21CB2E87]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4CE97DA0DBB28B8498B2534E6416B0B0]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F837488459B65428CA0E6B011B5B67]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\57027235CE244BD4691769E851B7C281]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5AEB4204EC468EC4DBBD6FB618334623]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E323DCF751AAA42B0AC586E16FF657]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6D23F60BF68E69140975CAD89B7E0C08]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\766433EAA5AA2DA4C972A81A42786F5F]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\76BF73BCBDBD7D34DA1425A9343A85DB]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7889046A95AE3704395D03DC920D5EB2]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DDD8D078AC88554ABADBB47DBC50047]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\82712AEF41C19EA468C4658880465EA2]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\82F7046585ED4714496768BDD765E0A8]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\83E3B1967563EC741AFD031096D4D9EF]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8C9AE8FA6E46B9045AAB35ABEC2AAF90]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9027E90356F31D84FBAE9644FD04DB44]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9379DF39318A1E04B91FF4DE302AE129]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\973460BE848CDE948B8B203A8DF37BAE]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9EECC5F79AF8BE040A4A47D6E35DC9BD]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B21810DA3F6261B47A26207BA92FE042]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B468DCDCBCB0021449D20BB527D3781A]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B680681B47DA72847B394A5360B3F33F]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C6DF91935865D6644A5E266B40D27D90]
"3105F253CD70D644D86B833F9380C606"="-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C6FC1D253DDEA4B49A1C4BF218154008]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CDD56F591665FD745A9BD5A7F5112C91]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D3508C66927AFBD43AC3CB0465B6F846]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D88D87D89D92B4140B83ACAB98FB2794]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E7DD2C96B11279D43977EDA3A3CA166F]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EFE74C78F0C3F38458EFB7DA57796E06]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F424B5D657452DB4ABE52A27CD95816E]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F77F75764B49EFD42A7B7583A52570B3]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F962BA67C155981468798E7410AADA76]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F9A96258B7D047C4C8EDE9937D1E788A]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB3FF101A61375B4AAF7D8F92574793C]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FEFBF195AFD6BAA4FBEEDD7E63B1010F]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3105F253CD70D644D86B833F9380C606\Features]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3105F253CD70D644D86B833F9380C606\InstallProperties]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3105F253CD70D644D86B833F9380C606\Usage]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{352F5013-07DC-446D-8DB6-38F339086C60}]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LIGHTSCRIBESERVICE]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\LightScribeService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LightScribeService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LIGHTSCRIBESERVICE]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\LightScribeService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\LightScribeService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\LightScribeService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\LightScribeService]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LIGHTSCRIBESERVICE]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\LightScribeService]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LightScribeService]
[-HKEY_USERS\S-1-5-21-755137727-2013218922-164856062-1005\Software\Microsoft\Search Assistant\ACMru\5603]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Go to File > Save As
Save File name as Fix1.reg
Change Save as Type to All Files and save the file to your desktop.
Close Notepad, and double-click Fix1.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.
Thanks for answering all my queries and preparing the REGEDIT4 entries to fix the registry. It has fixed many things. I appreciate the time you spent on the voluminous entries. I have done a new RegSearch for "lightscribe" (see attachment if you think it's important) . If you agree with my entries below for another REGEDIT4, then I will run it.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C6DF91935865D6644A5E266B40D27D90]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C6DF91935865D6644A5E266B40D27D90]
"3105F253CD70D644D86B833F9380C606"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B468DCDCBCB0021449D20BB527D3781A]
"00000000000000000000000000000000"=-
"3105F253CD70D644D86B833F9380C606"=-
Right now the computer is running very well, no problems at all.:)
You have done a great job and guided me through the process in a very competent and professional yet friendly way.
Your proposed entries for the new regedit4/regfix look good, I see no problems with it.
Make sure you run ERUNT first and when making the regfix, be sure that there are NO blank lines before REGEDIT4
and make sure there IS one blank line at the end of the file.
Go to File > Save As
Save File name as Fix2.reg
Change Save as Type to All Files and save the file to your desktop.
Close Notepad, and double-click Fix2.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.
Since there are no more problems, you are good to go. :)
You can reenable Teatimer.
You can delete the following off of your computer:
DDS.scr
The DDS Logs
GMER.zip
GMER.exe
The GMER Log
Regsearch.zip
The C:\Regsearch folder
All the regfixes you created (fix.reg, fix1.reg and fix2.reg (after you've run it))
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /Uninstall & click OK
Empty your Recycle Bin.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
@km2357,
1. Through your close guidance I have cleansed my computer and got familiarized with quite a few new tools I would not have tried on my own. Sure, many know about them but few know how to use them without guidance. Your contribution to me in particular and the community in general is like one of the refreshing daffodils among the weeds.
2. :thanks: and :thanks: again.
3. God helps those who help themselves, God loves those who help others.
Best regards,
Tanggo
You're welcome. I'm glad I was able to help you out. :)
Good luck and safe surfing!