View Full Version : Malware/Browser Hijack
Windows XP SP 3
Clicks on Google searches get redirected to other search sites and the Spybot executable doesn't run unless I rename it - even in safe mode. I have AVG Free installed but the control panel won't let me uninstall it. I'm guessing that something is killing the uninstall process just like when SpyBot is started.
I have run several AVG and Spybot scans as well as Malware-bytes Anti-Malware and removed some of the worst offenders.
Thanks for your help.
DDS Log:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by J at 11:45:18.26 on Tue 03/22/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.473 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\J\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {399C60D2-38B1-4E25-B9E7-6498C1BC2DCD} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CE0C2586-DA36-452B-ACDB-320D9BCB19BF} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224210243328
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
TCP: {765C18A5-C191-4DBC-8A3D-878975069E64} = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\j\applic~1\mozilla\firefox\profiles\645nbkj0.default\
FF - component: c:\documents and settings\j\application data\mozilla\firefox\profiles\645nbkj0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\j\application data\mozilla\firefox\profiles\645nbkj0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\free ride games\npExentCtl.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - Ext: RealArcade V3.1 Plugin: npmozax31@real.com - c:\program files\mozilla firefox\extensions\npmozax31@real.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\mozilla firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6} - c:\documents and settings\joanne\local settings\application data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 X4HS32Ex;X4HS32Ex;c:\program files\free ride games\X4HS32Ex.sys [2010-3-15 53280]
R2 X4HSEx;X4HSEx;c:\program files\free ride games\X4HSEx.sys [2010-4-16 56352]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
S2 gupdate1c9b6296af48476;Google Update Service (gupdate1c9b6296af48476);c:\program files\google\update\GoogleUpdate.exe [2009-4-5 133104]
S4 SeekeenSrch Service;SeekeenSrch Service;"c:\documents and settings\all users\application data\seekeensrch\seekeen155.exe" "c:\program files\seekeensrch\seekeen.dll" service --> c:\documents and settings\all users\application data\seekeensrch\seekeen155.exe [?]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2010-08-10 02:17:50 464 ----a-w- c:\program files\0809201021175065.bat
2010-04-15 02:20:24 458 ----a-w- c:\program files\0414201021202447.bat
2010-04-15 02:19:27 453 ----a-w- c:\program files\0414201021192699.bat
2010-04-03 20:36:04 469 ----a-w- c:\program files\0403201015360422.bat
2010-03-18 12:42:55 455 ----a-w- c:\program files\031820107425510.bat
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8670CEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8462f872; SUB DWORD [EBP-0x4], 0x8462f12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86789AB8]
3 CLASSPNP[0xF7652FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x867DF350]
[0x85DC9F38] -> IRP_MJ_CREATE -> 0x8670CEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskARRAY1.0.00__#4&295c5a3a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x8670CAEA
user & kernel MBR OK
sectors 312494078 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:46:55.76 ===============
Blottedisk
2011-03-23, 02:50
Hi iamsam,
Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.
Please follow these steps in order:
Step 1 | Please download GMER from one of the following locations and save it to your desktop:
Main Mirror (http://gmer.net/download.php ) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip ) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
--------------------------------------------------------------------
Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260 ) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:
IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)
http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif )
Click the image to enlarge it
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm ).
Step 2 | This next program is needed to remove the main infection in your system. However...AVG incorrectly targets ComboFix's embedded files. ComboFix will not run with AVG installed. Please uninstall AVG before continuing. You can reinstall it, or another antivirus such as Avira or avast!, after we've used ComboFix to clear the remaining infection.
After uninstalling AVG from the Control Panel, also run the AVG remover from their site.
http://www.avg.com/us-en/download-tools
direct link to the AVG Remover:
http://download.avg.com/filedir/util..._2011_1149.exe
You may also use this tool to uninstall AVG:
http://www.appremover.com/appremover/avg/AppRemover.exe
Instructions:
http://www.appremover.com/about/using-appremover.html
After uninstalling AVG, download Combofix from any of the links below, rename it to and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe )
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe )
--------------------------------------------------------------------
Double click on Combofix.exe & follow the prompts.
When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix )
GMER:
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-22 20:20:50
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 Intel___ rev.1.0.
Running: qxmkmllz.exe; Driver: C:\DOCUME~1\J\LOCALS~1\Temp\ugtdypog.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF76D46C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF76D4770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF76D4810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF76D48B0]
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xF7BDA814]
init C:\WINDOWS\system32\drivers\sigfilt.sys entry point in "init" section [0xEDE00F80]
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \FileSystem\Fastfat \Fat AD0AFD20
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskARRAY1.0.00__#4&295c5a3a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Classes\CLSID\{1830703E-16FA-AF27-4198-5871D9F7105F}\InprocServer32@ C:\Program Files\Common Files\System\ado\msado15.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{1830703E-16FA-AF27-4198-5871D9F7105F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{1830703E-16FA-AF27-4198-5871D9F7105F}\ProgID@ ADODB.Connection.2.8
Reg HKLM\SOFTWARE\Classes\CLSID\{1830703E-16FA-AF27-4198-5871D9F7105F}\VersionIndependentProgID@ ADODB.Connection
Reg HKLM\SOFTWARE\Classes\CLSID\{2B84ADD1-0082-CC00-40DE-0ED6DEEFC743}\InProcServer32@ C:\WINDOWS\system32\oleacc.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{2B84ADD1-0082-CC00-40DE-0ED6DEEFC743}\InProcServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{2C964540-F22E-5AC5-FABA-65B44C88E125}\xmlparse@classid 4107.11647.12889
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\AuxUserType\2
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\AuxUserType\2@ Media Clip
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\DefaultSet
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\DefaultSet@ MPlayer
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\0
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\0@ Embed Source,1,8,1
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\1
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\1@ 3,1,32,1
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\2
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\2@ 8,1,1,1
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DefaultIcon@ mplay32.exe,1
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\Insertable@
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\LocalServer@ mplay32.exe
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\LocalServer32@ mplay32.exe
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\MiscStatus@ 0
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\ProgID@ MPlayer
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\0
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\0@ &Play,0,3
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\1
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\1@ &Edit,0,2
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\2
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\2@ &Open,0,2
Reg HKLM\SOFTWARE\Classes\CLSID\{44C77CC3-DCA2-276F-7380-2B53C8A40B8A}\InprocServer32@ C:\Program Files\Roxio\Roxio MyDVD DE\VideoCore 9\sonicmcdsdv.ax
Reg HKLM\SOFTWARE\Classes\CLSID\{44C77CC3-DCA2-276F-7380-2B53C8A40B8A}\InprocServer32@InprocServer32 J$Dqm!w@u8}RxYo+r2zyDVDBuilder>1C!E9NrB.9iy@yTjW`Fo?
Reg HKLM\SOFTWARE\Classes\CLSID\{44C77CC3-DCA2-276F-7380-2B53C8A40B8A}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\InprocServer32@ c:\Program Files\RealArcade\RAComponents.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\InprocServer32@ThreadingModel both
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\ProgID@ RAComponents.RALocalizedString.1
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\TypeLib@ {C9BCE66F-FB3A-4985-9A96-DEDED07CF78D}
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\VersionIndependentProgID@ RAComponents.RALocalizedString
Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InProcServer32@ shell32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\shellex\ExtShellFolderViews
Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\shellex\ExtShellFolderViews\{5984FFE0-28D4-11CF-AE66-08002B2E1262}
Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\shellex\ExtShellFolderViews\{5984FFE0-28D4-11CF-AE66-08002B2E1262}@PersistMoniker file://%userappdata%\Microsoft\Internet Explorer\Desktop.htt
Reg HKLM\SOFTWARE\Classes\CLSID\{64F11DA5-EE83-95FF-0379-7EBCB11ECFC6}\InprocServer@ avifile.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{64F11DA5-EE83-95FF-0379-7EBCB11ECFC6}\InprocServer32@ avifil32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{64F11DA5-EE83-95FF-0379-7EBCB11ECFC6}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{735DD9C0-EDAC-6F43-8FCE-B11199EFB166}\LocalServer32@ C:\PROGRA~1\Roxio\ROXIOM~1\INSTAL~1\Driver\1050\INTEL3~1\IDriverT.exe
Reg HKLM\SOFTWARE\Classes\CLSID\{735DD9C0-EDAC-6F43-8FCE-B11199EFB166}\ProgID@ IDriverT.RotService.1
Reg HKLM\SOFTWARE\Classes\CLSID\{735DD9C0-EDAC-6F43-8FCE-B11199EFB166}\TypeLib@ {7EC41441-2247-4DEC-BBFB-9E798627A17B}
Reg HKLM\SOFTWARE\Classes\CLSID\{735DD9C0-EDAC-6F43-8FCE-B11199EFB166}\VersionIndependentProgID@ IDriverT.RotService
Reg HKLM\SOFTWARE\Classes\CLSID\{74CDC428-E84E-282E-D272-21B4E2E1645E}\InprocServer@ ole2disp.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{74CDC428-E84E-282E-D272-21B4E2E1645E}\InprocServer32@ oleaut32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{74CDC428-E84E-282E-D272-21B4E2E1645E}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{74CDC428-E84E-282E-D272-21B4E2E1645E}\InprocServer32@InprocServer32 J$Dqm!w@u8}RxYo+r2zyMandatory>M5KDYSUnf(HA*L[xeX)y?
Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\InprocServer32@ C:\Program Files\Roxio\Roxio MyDVD DE\VideoCore 9\RMFMediaObjects.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\ProgID@ RMFMediaObjects3.VCGFrameGrabber9.1
Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\TypeLib@ {E5DAF394-09A5-4879-ABC0-2A3E92A7CBF1}
Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\VersionIndependentProgID@ RMFMediaObjects3.VCGFrameGrabber9
Reg HKLM\SOFTWARE\Classes\CLSID\{95444DCD-256E-7BCA-1176-39E0E2F16C29}\InprocServer32@ C:\PROGRA~1\NETMEE~1\rrcm.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{95444DCD-256E-7BCA-1176-39E0E2F16C29}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{95444DCD-256E-7BCA-1176-39E0E2F16C29}\ProgID@ RTP.RTP.1
Reg HKLM\SOFTWARE\Classes\CLSID\{95444DCD-256E-7BCA-1176-39E0E2F16C29}\VersionIndependentProgID@ RTP.RTP
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{60A8075E-1422-B512-3767-A488F5C2A32C}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{611BF4E5-A0AA-3ADF-9B9D-5298A6A5BD05}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{622E5117-EFA1-1C70-66E1-1FF740D253FB}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{63FB4621-00E3-3127-D4B3-0F2BDEF38813}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{64A91B17-A059-F980-B4B6-C094CFB288BA}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{654F2EB9-27D5-A54B-DB01-EBBA951840A3}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{663078EC-1F0E-600E-01CD-912DD4FE5BB0}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{6751DF04-A4C0-B296-90E9-2FAE8C85E97E}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{6974B180-0477-EABB-461E-0D5F20BA0F51}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@RuntimeVersion v2.0.50727
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@Assembly AspNetMMCExt, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@Class Microsoft.Aspnet.Snapin.AspNetManagementUtility
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@ mscoree.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32\2.0.0.0
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32\2.0.0.0@RuntimeVersion v2.0.50727
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32\2.0.0.0@Assembly AspNetMMCExt, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32\2.0.0.0@Class Microsoft.Aspnet.Snapin.AspNetManagementUtility
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\ProgId@ Microsoft.Aspnet.Snapin.AspNetManagementUtility.2
Reg HKLM\SOFTWARE\Classes\CLSID\{B8F88168-4D43-0124-45EC-B04D34317605}\InprocServer32@ C:\WINDOWS\system32\scrobj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{B8F88168-4D43-0124-45EC-B04D34317605}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{B8F88168-4D43-0124-45EC-B04D34317605}\ProgID@ ScriptletHandler.ASP
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.aif
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.aifc
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.aiff
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.mov
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.qt
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.ra
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.ram
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.rm
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.rmm
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME\audio/aiff
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME\audio/x-aiff
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME\audio/x-pn-realaudio
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME\video/quicktime
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\InprocServer32@ C:\WINDOWS\system32\Msdxm6.ocx
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\MiscStatus@ 0
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\MiscStatus\1
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\MiscStatus\1@ 131473
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\ProgID@ AMOVIE.ActiveMovieControl.2
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\ToolboxBitmap32@ C:\WINDOWS\system32\Msdxm6.ocx, 1
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\TypeLib@ {05589fa0-c356-11ce-bf01-00aa0055595a}
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\Version@ 2.0
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\VersionIndependentProgID@ AMOVIE.ActiveMovieControl
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@ mscoree.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@Class RecordingObjects.RecordingCompletedEventLogEntry
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@Assembly ehRecObj, Version=6.0.3000.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@CodeBase file:///C:/WINDOWS/eHome/ehRecObj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0@Class RecordingObjects.RecordingCompletedEventLogEntry
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0@Assembly ehRecObj, Version=6.0.3000.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0@CodeBase file:///C:/WINDOWS/eHome/ehRecObj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\ProgId@ RecordingObjects.RecordingCompletedEventLogEntry
Reg HKLM\SOFTWARE\Classes\CLSID\{EFAF8B52-112F-89D1-B35D-4F17650DEAB6}\InprocServer32@ C:\WINDOWS\system32\quartz.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{EFAF8B52-112F-89D1-B35D-4F17650DEAB6}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{320092EB-E50F-57BE-A0AB-CE07175496A7}
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{335E72A0-8BF3-7B9C-F3C0-EA43C7629793}
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{349CF325-DE89-0627-FF71-904851A913A1}
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{3594C6AD-F011-9DE5-00DC-0E434A40BD32}
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{36640083-5D89-0425-38C0-110541F1BC9A}
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{376B75CA-E248-5974-5D50-0545151BBFC4}
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\InprocServer32@ C:\WINDOWS\system32\wmpsrcwp.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\InprocServer32@ThreadingModel Both
---- Files - GMER 1.0.15 ----
ADS C:\Program Files\Retro64 Games\mystery_stories:_berlin_nights.exe 70049792 bytes executable
ADS C:\Program Files\Retro64 Games\mystery_stories:_berlin_nights.exe 0 bytes executable
ADS C:\Program Files\Retro64 Games\mystery_stories:_berlin_nights.exe 0 bytes executable
File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Combofix:
ComboFix 11-03-22.04 - J 03/22/2011 20:46:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.697 [GMT -5:00]
Running from: c:\documents and settings\J\My Documents\Downloads\jComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\J\Application Data\PriceGong
c:\documents and settings\J\Application Data\PriceGong\Data\1.xml
c:\documents and settings\J\Application Data\PriceGong\Data\a.xml
c:\documents and settings\J\Application Data\PriceGong\Data\b.xml
c:\documents and settings\J\Application Data\PriceGong\Data\c.xml
c:\documents and settings\J\Application Data\PriceGong\Data\d.xml
c:\documents and settings\J\Application Data\PriceGong\Data\e.xml
c:\documents and settings\J\Application Data\PriceGong\Data\f.xml
c:\documents and settings\J\Application Data\PriceGong\Data\g.xml
c:\documents and settings\J\Application Data\PriceGong\Data\h.xml
c:\documents and settings\J\Application Data\PriceGong\Data\i.xml
c:\documents and settings\J\Application Data\PriceGong\Data\J.xml
c:\documents and settings\J\Application Data\PriceGong\Data\k.xml
c:\documents and settings\J\Application Data\PriceGong\Data\l.xml
c:\documents and settings\J\Application Data\PriceGong\Data\m.xml
c:\documents and settings\J\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\J\Application Data\PriceGong\Data\n.xml
c:\documents and settings\J\Application Data\PriceGong\Data\o.xml
c:\documents and settings\J\Application Data\PriceGong\Data\p.xml
c:\documents and settings\J\Application Data\PriceGong\Data\q.xml
c:\documents and settings\J\Application Data\PriceGong\Data\r.xml
c:\documents and settings\J\Application Data\PriceGong\Data\s.xml
c:\documents and settings\J\Application Data\PriceGong\Data\t.xml
c:\documents and settings\J\Application Data\PriceGong\Data\u.xml
c:\documents and settings\J\Application Data\PriceGong\Data\v.xml
c:\documents and settings\J\Application Data\PriceGong\Data\w.xml
c:\documents and settings\J\Application Data\PriceGong\Data\x.xml
c:\documents and settings\J\Application Data\PriceGong\Data\y.xml
c:\documents and settings\J\Application Data\PriceGong\Data\z.xml
c:\documents and settings\JoAnne\Application Data\PriceGong
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\1.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\a.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\b.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\c.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\d.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\e.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\f.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\g.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\h.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\i.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\J.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\k.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\l.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\m.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\n.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\o.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\p.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\q.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\r.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\s.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\t.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\u.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\v.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\w.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\x.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\y.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\z.xml
c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}
c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}\chrome.manifest
c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}\chrome\content\_cfg.js
c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}\chrome\content\overlay.xul
c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}\install.rdf
C:\Install.exe
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\iWin\tbiWi1.dll
c:\windows\system32\Data
.
Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-22 14:08 . 2011-03-22 14:08 -------- d-----w- c:\program files\ERUNT
2011-03-22 13:40 . 2011-03-22 13:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-08 19:58 . 2011-02-08 19:58 388096 ----a-r- c:\documents and settings\J\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-10 02:17 . 2010-08-10 02:17 464 ----a-w- c:\program files\0809201021175065.bat
2010-04-15 02:20 . 2010-04-15 02:20 458 ----a-w- c:\program files\0414201021202447.bat
2010-04-15 02:19 . 2010-04-15 02:19 453 ----a-w- c:\program files\0414201021192699.bat
2010-04-03 20:36 . 2010-04-03 20:36 469 ----a-w- c:\program files\0403201015360422.bat
2010-03-18 12:42 . 2010-03-18 12:42 455 ----a-w- c:\program files\031820107425510.bat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
.
c:\documents and settings\JoAnne\Start Menu\Programs\Startup\
iWin Desktop Alerts.lnk - c:\documents and settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [N/A]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2005-05-19 16:54 1345520 ----a-w- c:\windows\system32\CTMBHA.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-23 00:40 24576 ----a-w- c:\windows\MIDIDEF.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"gupdate1c9b6296af48476"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 X4HS32Ex;X4HS32Ex;c:\program files\Free Ride Games\X4HS32Ex.sys [3/15/2010 11:09 AM 53280]
R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [4/16/2010 6:53 PM 56352]
S2 gupdate1c9b6296af48476;Google Update Service (gupdate1c9b6296af48476);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 3:02 PM 133104]
S4 SeekeenSrch Service;SeekeenSrch Service;"c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" "c:\program files\SeekeenSrch\seekeen.dll" Service --> c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-02-01 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
.
2011-03-23 c:\windows\Tasks\User_Feed_Synchronization-{D019EACA-BB13-46C6-A08A-1B23C328FB16}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
TCP: {765C18A5-C191-4DBC-8A3D-878975069E64} = 192.168.1.254
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\645nbkj0.default\
FF - Ext: RealArcade V3.1 Plugin: npmozax31@real.com - c:\program files\Mozilla Firefox\extensions\npmozax31@real.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{399C60D2-38B1-4E25-B9E7-6498C1BC2DCD} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
MSConfigStartUp-013f74406cf06ba257e3b7572429f7a5 - c:\docume~1\JoAnne\Desktop\SKIP-B~1.EXE
MSConfigStartUp-Creative Detector - c:\program files\Creative\MediaSource\Detector\CTDetect.exe
MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
MSConfigStartUp-Exetender - c:\program files\Free Ride Games\GPlayer.exe
MSConfigStartUp-Gzizefameteqa - c:\windows\enakagupiseriyo.dll
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-Internet Antivirus Pro - c:\program files\Internet Antivirus Pro\IAPro.exe
MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
MSConfigStartUp-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
MSConfigStartUp-Jmowujagedeyoxi - c:\windows\mcbMBU.dll
MSConfigStartUp-Microsoft Windows logon process - c:\documents and settings\JoAnne\Application Data\Microsoft\Windows\winlogon.exe
MSConfigStartUp-rillixcs - c:\docume~1\JoAnne\LOCALS~1\Temp\jvsxmkoxy\bajctmiyhsn.exe
MSConfigStartUp-SearchEngineProtection - c:\program files\Gamesbar\SearchEngineProtection.exe
MSConfigStartUp-VoiceCenter - c:\program files\Creative\VoiceCenter\AndreaVC.exe
MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe
MSConfigStartUp-{143B3226-02CE-A020-A3BE-3108B7F2A074} - c:\documents and settings\JoAnne\Application Data\Epfaez\kydy.exe
MSConfigStartUp-{BC1335DB-6FF8-65FB-680A-E73CB69796AC} - c:\documents and settings\JoAnne\Application Data\Usen\negi.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 20:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-03-22 20:55:00
ComboFix-quarantined-files.txt 2011-03-23 01:54
.
Pre-Run: 71,095,001,088 bytes free
Post-Run: 71,253,016,576 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - F2EF9C629EF00870D49E484D1084574F
I think this may have fixed it. Please let me know if there's anything else.
Thanks!!
Blottedisk
2011-03-23, 15:52
Hi iamsam,
A good part of the main infection has been removed, although I suspect there's still more in there. Let me tell you that unfortunately your computer appears to have been infected by the TDL3 backdoor infection. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the
system partition and reinstalling Windows as this is the only 100% sure answer.You should not be following fixes in another threads as
those fixes are specifically for those computers.
Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451 )
When Should I Format, How Should I Reinstall? (http://www.dslreports.com/faq/10063 )
Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:
Step 1 | I notice you have games from Free Ride Games installed in your machine. There are some comments from the WOT (Web of trust Community) that relate this developer with certain infections. See here:
http://www.mywot.com/es/scorecard/freeridegames.com (http://www.mywot.com/en/scorecard/freeridegames.com)
Have you installed these games? Let's upload some of their files to check. Please go to the following site to scan a file: Virus Total (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.virustotal.com)
Click on Browse, and upload the following files for analysis:
c:\program files\Free Ride Games\X4HS32Ex.sys
c:\program files\Free Ride Games\X4HSEx.sys
Then click Submit. Allow the files to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
Step 2 | Close any open browsers. Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.
Please open Notepad.
In Notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the all of the text in the code box below into the Notepad, (including the URL). Do Not copy the word CODE:
http://forums.spybot.info/showthread.php?p=398466
Collect::
c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
c:\program files\SeekeenSrch\seekeen.dll
Driver:
SeekeenSrch Service
DDS::
FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
In the notepad click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save.
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.
This will start ComboFix again.Close all browser/windows first.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
**Note: When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
Please post back including the Combofix log.
I would like to see if we can clean this up. I'm doing this for a relative and I'd like to avoid an OS install if possible.
VirusTotal logs: (I'll probably uninstall the Free Ride games once everything is cleaned up)
user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
X4HS32Ex.sys
Submission date:
2011-03-23 14:01:22 (UTC)
Current status:
queued (#1) queued (#1) analysing finished
Result:
0/ 41 (0.0%)
VT Community
not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.23.01 2011.03.23 -
AntiVir 7.11.5.44 2011.03.23 -
Antiy-AVL 2.0.3.7 2011.03.22 -
Avast 4.8.1351.0 2011.03.23 -
Avast5 5.0.677.0 2011.03.23 -
AVG 10.0.0.1190 2011.03.23 -
BitDefender 7.2 2011.03.23 -
CAT-QuickHeal 11.00 2011.03.23 -
ClamAV 0.96.4.0 2011.03.23 -
Commtouch 5.2.11.5 2011.03.22 -
Comodo 8075 2011.03.23 -
DrWeb 5.0.2.03300 2011.03.23 -
eSafe 7.0.17.0 2011.03.22 -
eTrust-Vet 36.1.8231 2011.03.23 -
F-Prot 4.6.2.117 2011.03.22 -
F-Secure 9.0.16440.0 2011.03.23 -
Fortinet 4.2.254.0 2011.03.23 -
GData 21 2011.03.23 -
Ikarus T3.1.1.97.0 2011.03.23 -
Jiangmin 13.0.900 2011.03.23 -
K7AntiVirus 9.94.4188 2011.03.23 -
McAfee 5.400.0.1158 2011.03.23 -
McAfee-GW-Edition 2010.1C 2011.03.23 -
Microsoft 1.6603 2011.03.23 -
NOD32 5977 2011.03.23 -
Norman 6.07.03 2011.03.22 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.23 -
PCTools 7.0.3.5 2011.03.21 -
Prevx 3.0 2011.03.23 -
Rising 23.50.01.06 2011.03.22 -
Sophos 4.63.0 2011.03.23 -
SUPERAntiSpyware 4.40.0.1006 2011.03.23 -
Symantec 20101.3.0.103 2011.03.23 -
TheHacker 6.7.0.1.155 2011.03.23 -
TrendMicro 9.200.0.1012 2011.03.23 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.23 -
VBA32 3.12.14.3 2011.03.23 -
VIPRE 8792 2011.03.23 -
ViRobot 2011.3.23.4372 2011.03.23 -
VirusBuster 13.6.265.0 2011.03.23 -
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
X4HSEx.sys
Submission date:
2011-03-23 14:02:42 (UTC)
Current status:
queued queued (#2) analysing finished
Result:
0/ 43 (0.0%)
VT Community
not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.23.01 2011.03.23 -
AntiVir 7.11.5.44 2011.03.23 -
Antiy-AVL 2.0.3.7 2011.03.22 -
Avast 4.8.1351.0 2011.03.23 -
Avast5 5.0.677.0 2011.03.23 -
AVG 10.0.0.1190 2011.03.23 -
BitDefender 7.2 2011.03.23 -
CAT-QuickHeal 11.00 2011.03.23 -
ClamAV 0.96.4.0 2011.03.23 -
Commtouch 5.2.11.5 2011.03.22 -
Comodo 8075 2011.03.23 -
DrWeb 5.0.2.03300 2011.03.23 -
Emsisoft 5.1.0.4 2011.03.23 -
eSafe 7.0.17.0 2011.03.22 -
eTrust-Vet 36.1.8231 2011.03.23 -
F-Prot 4.6.2.117 2011.03.22 -
F-Secure 9.0.16440.0 2011.03.23 -
Fortinet 4.2.254.0 2011.03.23 -
GData 21 2011.03.23 -
Ikarus T3.1.1.97.0 2011.03.23 -
Jiangmin 13.0.900 2011.03.23 -
K7AntiVirus 9.94.4188 2011.03.23 -
Kaspersky 7.0.0.125 2011.03.23 -
McAfee 5.400.0.1158 2011.03.23 -
McAfee-GW-Edition 2010.1C 2011.03.23 -
Microsoft 1.6603 2011.03.23 -
NOD32 5977 2011.03.23 -
Norman 6.07.03 2011.03.22 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.23 -
PCTools 7.0.3.5 2011.03.21 -
Prevx 3.0 2011.03.23 -
Rising 23.50.01.06 2011.03.22 -
Sophos 4.63.0 2011.03.23 -
SUPERAntiSpyware 4.40.0.1006 2011.03.23 -
Symantec 20101.3.0.103 2011.03.23 -
TheHacker 6.7.0.1.155 2011.03.23 -
TrendMicro 9.200.0.1012 2011.03.23 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.23 -
VBA32 3.12.14.3 2011.03.23 -
VIPRE 8792 2011.03.23 -
ViRobot 2011.3.23.4372 2011.03.23 -
VirusBuster 13.6.265.0 2011.03.23 -
ComboFix Log:
ComboFix 11-03-22.09 - J 03/23/2011 9:31.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.643 [GMT -5:00]
Running from: c:\documents and settings\J\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\J\My Documents\Downloads\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-23 02:30 . 2011-03-23 02:30 -------- d-----w- c:\documents and settings\J\Local Settings\Application Data\AVG Security Toolbar
2011-03-23 02:04 . 2011-03-23 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-22 13:40 . 2011-03-22 13:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 22:48 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-10 11:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2008-10-16 04:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-10-16 04:48 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-08-10 02:17 . 2010-08-10 02:17 464 ----a-w- c:\program files\0809201021175065.bat
2010-04-15 02:20 . 2010-04-15 02:20 458 ----a-w- c:\program files\0414201021202447.bat
2010-04-15 02:19 . 2010-04-15 02:19 453 ----a-w- c:\program files\0414201021192699.bat
2010-04-03 20:36 . 2010-04-03 20:36 469 ----a-w- c:\program files\0403201015360422.bat
2010-03-18 12:42 . 2010-03-18 12:42 455 ----a-w- c:\program files\031820107425510.bat
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-23_01.53.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-23 14:21 . 2011-03-23 14:21 16384 c:\windows\Temp\Perflib_Perfdata_720.dat
- 2006-03-04 03:33 . 2010-11-06 00:26 66560 c:\windows\system32\mshtmled.dll
+ 2006-03-04 03:33 . 2010-12-20 23:59 66560 c:\windows\system32\mshtmled.dll
+ 2009-03-08 09:31 . 2010-12-20 23:59 55296 c:\windows\system32\msfeedsbs.dll
- 2009-03-08 09:31 . 2010-11-06 00:26 55296 c:\windows\system32\msfeedsbs.dll
- 2004-08-10 11:00 . 2010-11-06 00:26 43520 c:\windows\system32\licmgr10.dll
+ 2004-08-10 11:00 . 2010-12-20 23:59 43520 c:\windows\system32\licmgr10.dll
+ 2004-08-10 11:00 . 2010-12-20 23:59 25600 c:\windows\system32\jsproxy.dll
- 2004-08-10 11:00 . 2010-11-06 00:26 25600 c:\windows\system32\jsproxy.dll
- 2009-09-17 18:16 . 2010-11-06 00:26 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-09-17 18:16 . 2010-12-20 23:59 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-03-08 09:31 . 2010-11-06 00:26 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-03-08 09:31 . 2010-12-20 23:59 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-09-17 18:16 . 2010-12-20 23:59 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2009-09-17 18:16 . 2010-11-06 00:26 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-03-08 09:34 . 2010-12-20 23:59 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 09:34 . 2010-11-06 00:26 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 09:33 . 2010-11-06 00:26 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-03-08 09:33 . 2010-12-20 23:59 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2009-12-14 07:08 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2004-08-10 11:00 . 2010-12-09 14:30 33280 c:\windows\system32\csrsrv.dll
- 2004-08-10 11:00 . 2009-12-14 07:08 33280 c:\windows\system32\csrsrv.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 12800 c:\windows\ie8updates\KB2482017-IE8\xpshims.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 66560 c:\windows\ie8updates\KB2482017-IE8\mshtmled.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 55296 c:\windows\ie8updates\KB2482017-IE8\msfeedsbs.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 43520 c:\windows\ie8updates\KB2482017-IE8\licmgr10.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 25600 c:\windows\ie8updates\KB2482017-IE8\jsproxy.dll
- 2006-03-04 03:33 . 2010-11-06 00:26 916480 c:\windows\system32\wininet.dll
+ 2006-03-04 03:33 . 2010-12-20 23:59 916480 c:\windows\system32\wininet.dll
- 2004-08-10 11:00 . 2008-04-14 00:12 135168 c:\windows\system32\shsvcs.dll
+ 2004-08-10 11:00 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
- 2004-08-10 11:00 . 2010-11-06 00:26 206848 c:\windows\system32\occache.dll
+ 2004-08-10 11:00 . 2010-12-20 23:59 206848 c:\windows\system32\occache.dll
+ 2004-08-10 11:00 . 2010-12-09 15:15 718336 c:\windows\system32\ntdll.dll
+ 2006-03-04 03:33 . 2010-12-20 23:59 611840 c:\windows\system32\mstime.dll
- 2006-03-04 03:33 . 2010-11-06 00:26 611840 c:\windows\system32\mstime.dll
+ 2009-03-08 09:32 . 2010-12-20 23:59 602112 c:\windows\system32\msfeeds.dll
- 2009-03-08 09:32 . 2010-11-06 00:26 602112 c:\windows\system32\msfeeds.dll
- 2004-08-10 11:00 . 2009-06-25 08:25 730112 c:\windows\system32\lsasrv.dll
+ 2004-08-10 11:00 . 2010-12-20 17:26 730112 c:\windows\system32\lsasrv.dll
+ 2004-08-10 11:00 . 2010-12-22 12:34 301568 c:\windows\system32\kerberos.dll
- 2004-08-10 11:00 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos.dll
+ 2006-03-04 03:33 . 2010-12-20 23:59 184320 c:\windows\system32\iepeers.dll
- 2006-03-04 03:33 . 2010-11-06 00:26 184320 c:\windows\system32\iepeers.dll
- 2004-08-10 11:00 . 2010-11-06 00:26 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-10 11:00 . 2010-12-20 23:59 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-10 11:00 . 2010-11-03 12:26 173568 c:\windows\system32\ie4uinit.exe
+ 2004-08-10 11:00 . 2010-12-20 12:55 173568 c:\windows\system32\ie4uinit.exe
- 2008-10-15 21:43 . 2011-02-01 19:50 181832 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-15 21:43 . 2011-03-23 02:28 181832 c:\windows\system32\FNTCACHE.DAT
- 2008-08-20 05:30 . 2010-11-06 00:26 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-08-20 05:30 . 2010-12-20 23:59 916480 c:\windows\system32\dllcache\wininet.dll
+ 2009-07-27 23:17 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll
+ 2011-01-21 14:44 . 2011-01-21 14:44 439296 c:\windows\system32\dllcache\shimgvw.dll
+ 2004-08-10 11:00 . 2011-02-04 22:48 291840 c:\windows\system32\dllcache\sbe.dll
+ 2009-03-08 09:34 . 2010-12-20 23:59 206848 c:\windows\system32\dllcache\occache.dll
- 2009-03-08 09:34 . 2010-11-06 00:26 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-04-15 16:13 . 2010-12-09 15:15 718336 c:\windows\system32\dllcache\ntdll.dll
+ 2009-03-08 09:32 . 2010-12-20 23:59 611840 c:\windows\system32\dllcache\mstime.dll
- 2009-03-08 09:32 . 2010-11-06 00:26 611840 c:\windows\system32\dllcache\mstime.dll
- 2009-09-17 18:16 . 2010-11-06 00:26 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-09-17 18:16 . 2010-12-20 23:59 602112 c:\windows\system32\dllcache\msfeeds.dll
- 2009-04-15 16:13 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-04-15 16:13 . 2010-12-20 17:26 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2011-01-27 11:57 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe
+ 2009-06-25 08:25 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll
- 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
- 2009-09-17 18:16 . 2010-11-06 00:26 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-09-17 18:16 . 2010-12-20 23:59 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-03-08 09:31 . 2010-12-20 23:59 184320 c:\windows\system32\dllcache\iepeers.dll
- 2009-03-08 09:31 . 2010-11-06 00:26 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-07-10 02:56 . 2010-12-20 23:59 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-07-10 02:56 . 2010-11-06 00:26 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2009-03-08 19:09 . 2010-12-20 23:59 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-03-08 19:09 . 2010-11-06 00:26 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-03-08 09:32 . 2010-11-03 12:26 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-03-08 09:32 . 2010-12-20 12:55 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2004-08-10 11:00 . 2011-02-04 22:48 456192 c:\windows\system32\dllcache\encdec.dll
+ 2010-04-20 05:30 . 2011-01-07 14:09 290048 c:\windows\system32\dllcache\atmfd.dll
- 2010-04-20 05:30 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 916480 c:\windows\ie8updates\KB2482017-IE8\wininet.dll
+ 2011-03-23 02:18 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2482017-IE8\spuninst\updspapi.dll
+ 2011-03-23 02:18 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2482017-IE8\spuninst\spuninst.exe
+ 2011-03-23 02:18 . 2010-11-06 00:26 206848 c:\windows\ie8updates\KB2482017-IE8\occache.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 611840 c:\windows\ie8updates\KB2482017-IE8\mstime.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 602112 c:\windows\ie8updates\KB2482017-IE8\msfeeds.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 247808 c:\windows\ie8updates\KB2482017-IE8\ieproxy.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 184320 c:\windows\ie8updates\KB2482017-IE8\iepeers.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 743424 c:\windows\ie8updates\KB2482017-IE8\iedvtool.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 387584 c:\windows\ie8updates\KB2482017-IE8\iedkcs32.dll
+ 2011-03-23 02:18 . 2010-11-03 12:26 173568 c:\windows\ie8updates\KB2482017-IE8\ie4uinit.exe
+ 2006-03-18 11:09 . 2010-12-20 23:59 1210880 c:\windows\system32\urlmon.dll
- 2006-03-18 11:09 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon.dll
+ 2004-08-10 11:00 . 2011-01-21 14:44 8462336 c:\windows\system32\shell32.dll
- 2004-08-10 11:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2005-03-30 01:21 . 2010-12-09 13:42 2148864 c:\windows\system32\ntoskrnl.exe
+ 2005-03-30 01:01 . 2010-12-09 13:07 2027008 c:\windows\system32\ntkrnlpa.exe
+ 2006-03-23 17:32 . 2010-12-20 23:59 5961216 c:\windows\system32\mshtml.dll
- 2009-03-08 09:32 . 2010-11-06 00:26 1991680 c:\windows\system32\iertutil.dll
+ 2009-03-08 09:32 . 2010-12-20 23:59 1991680 c:\windows\system32\iertutil.dll
+ 2008-10-17 04:11 . 2010-12-31 13:10 1854976 c:\windows\system32\dllcache\win32k.sys
+ 2008-08-20 05:30 . 2010-12-20 23:59 1210880 c:\windows\system32\dllcache\urlmon.dll
- 2008-08-20 05:30 . 2010-11-06 00:26 1210880 c:\windows\system32\dllcache\urlmon.dll
- 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2008-06-17 19:02 . 2011-01-21 14:44 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2008-10-17 04:20 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-17 04:20 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-17 04:20 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-17 04:20 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-08-20 05:30 . 2010-12-20 23:59 5961216 c:\windows\system32\dllcache\mshtml.dll
+ 2011-02-02 07:58 . 2011-02-02 07:58 2067456 c:\windows\system32\dllcache\lhmstscx.dll
- 2009-09-17 18:16 . 2010-11-06 00:26 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2009-09-17 18:16 . 2010-12-20 23:59 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2011-03-23 02:05 . 2011-03-23 02:05 3277312 c:\windows\Installer\15fa20.msi
+ 2011-03-23 02:03 . 2011-03-23 02:03 1611776 c:\windows\Installer\15fa1c.msi
+ 2011-03-23 02:18 . 2010-11-06 00:26 1210880 c:\windows\ie8updates\KB2482017-IE8\urlmon.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 5959168 c:\windows\ie8updates\KB2482017-IE8\mshtml.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 1991680 c:\windows\ie8updates\KB2482017-IE8\iertutil.dll
+ 2008-10-17 04:20 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-17 04:20 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-17 04:20 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-17 04:20 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-17 13:22 . 2011-03-03 00:56 37943240 c:\windows\system32\MRT.exe
+ 2009-03-08 09:39 . 2010-12-21 10:29 11080704 c:\windows\system32\ieframe.dll
- 2009-03-08 09:39 . 2010-11-06 00:26 11080704 c:\windows\system32\ieframe.dll
- 2009-09-17 18:16 . 2010-11-06 00:26 11080704 c:\windows\system32\dllcache\ieframe.dll
+ 2009-09-17 18:16 . 2010-12-21 10:29 11080704 c:\windows\system32\dllcache\ieframe.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 11080704 c:\windows\ie8updates\KB2482017-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
.
c:\documents and settings\JoAnne\Start Menu\Programs\Startup\
iWin Desktop Alerts.lnk - c:\documents and settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [N/A]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2005-05-19 16:54 1345520 ----a-w- c:\windows\system32\CTMBHA.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-23 00:40 24576 ----a-w- c:\windows\MIDIDEF.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"gupdate1c9b6296af48476"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 X4HS32Ex;X4HS32Ex;c:\program files\Free Ride Games\X4HS32Ex.sys [3/15/2010 11:09 AM 53280]
R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [4/16/2010 6:53 PM 56352]
S2 gupdate1c9b6296af48476;Google Update Service (gupdate1c9b6296af48476);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 3:02 PM 133104]
S4 SeekeenSrch Service;SeekeenSrch Service;"c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" "c:\program files\SeekeenSrch\seekeen.dll" Service --> c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-03-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
.
2011-03-23 c:\windows\Tasks\User_Feed_Synchronization-{D019EACA-BB13-46C6-A08A-1B23C328FB16}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
TCP: {765C18A5-C191-4DBC-8A3D-878975069E64} = 192.168.1.254
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\645nbkj0.default\
FF - Ext: RealArcade V3.1 Plugin: npmozax31@real.com - c:\program files\Mozilla Firefox\extensions\npmozax31@real.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{399C60D2-38B1-4E25-B9E7-6498C1BC2DCD} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-23 09:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\l3codeca.acm
.
- - - - - - - > 'explorer.exe'(3272)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-03-23 09:37:52
ComboFix-quarantined-files.txt 2011-03-23 14:37
ComboFix2.txt 2011-03-23 01:55
.
Pre-Run: 73,506,562,048 bytes free
Post-Run: 73,492,258,816 bytes free
.
- - End Of File - - 72D84D105BE313EA25CC28B8CA708CBA
Blottedisk
2011-03-23, 20:02
Hi sam, thanks for the logs.
Apparently the ComboFix script didn't work. Have you uninstalled AVG? Please download the attached CFscript.txt file at the bottom of my post and save it to your desktop.
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.
This will start ComboFix again.Close all browser/windows first.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
**Note: When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
Please advise if the upload was successful and post back including the Combofix log.
I think I did something wrong the first time through.
Log:
ComboFix 11-03-23.01 - J 03/23/2011 13:34:46.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.594 [GMT -5:00]
Running from: c:\documents and settings\J\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\J\My Documents\Downloads\CFscript.txt
.
FILE ::
"c:\program files\031820107425510.bat"
"c:\program files\0403201015360422.bat"
"c:\program files\0414201021192699.bat"
"c:\program files\0414201021202447.bat"
.
file zipped: c:\program files\0809201021175065.bat
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\031820107425510.bat
c:\program files\0403201015360422.bat
c:\program files\0414201021192699.bat
c:\program files\0414201021202447.bat
c:\program files\0809201021175065.bat
.
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-23 02:30 . 2011-03-23 02:30 -------- d-----w- c:\documents and settings\J\Local Settings\Application Data\AVG Security Toolbar
2011-03-22 13:40 . 2011-03-22 13:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 22:48 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-10 11:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2008-10-16 04:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-10-16 04:48 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2011-03-23_14.36.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-23 18:27 . 2011-03-23 18:27 16384 c:\windows\Temp\Perflib_Perfdata_728.dat
+ 2011-03-23 14:48 . 2011-03-23 14:48 3277312 c:\windows\Installer\17a407.msi
+ 2011-03-23 14:47 . 2011-03-23 14:47 1611776 c:\windows\Installer\17a403.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
.
c:\documents and settings\JoAnne\Start Menu\Programs\Startup\
iWin Desktop Alerts.lnk - c:\documents and settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [N/A]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2005-05-19 16:54 1345520 ----a-w- c:\windows\system32\CTMBHA.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-23 00:40 24576 ----a-w- c:\windows\MIDIDEF.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"gupdate1c9b6296af48476"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 X4HS32Ex;X4HS32Ex;c:\program files\Free Ride Games\X4HS32Ex.sys [3/15/2010 11:09 AM 53280]
R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [4/16/2010 6:53 PM 56352]
S2 gupdate1c9b6296af48476;Google Update Service (gupdate1c9b6296af48476);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 3:02 PM 133104]
S4 SeekeenSrch Service;SeekeenSrch Service;"c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" "c:\program files\SeekeenSrch\seekeen.dll" Service --> c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CFCATCHME
*Deregistered* - CFcatchme
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-03-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
.
2011-03-23 c:\windows\Tasks\User_Feed_Synchronization-{D019EACA-BB13-46C6-A08A-1B23C328FB16}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
TCP: {765C18A5-C191-4DBC-8A3D-878975069E64} = 192.168.1.254
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\645nbkj0.default\
FF - Ext: RealArcade V3.1 Plugin: npmozax31@real.com - c:\program files\Mozilla Firefox\extensions\npmozax31@real.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{399C60D2-38B1-4E25-B9E7-6498C1BC2DCD} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-23 13:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\l3codeca.acm
.
Completion time: 2011-03-23 13:41:17
ComboFix-quarantined-files.txt 2011-03-23 18:41
ComboFix2.txt 2011-03-23 14:37
ComboFix3.txt 2011-03-23 01:55
.
Pre-Run: 73,157,271,552 bytes free
Post-Run: 73,138,380,800 bytes free
.
- - End Of File - - 1026AD96D9E2171A5F490801A1CB93EC
Upload was successful
Blottedisk
2011-03-23, 21:33
Hi,
Please download The Avenger2 (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog46 to your Desktop.
Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop
1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Drivers to delete:
SeekeenSrch Service
Files to delete:
c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
c:\program files\SeekeenSrch\seekeen.dll
Folders to delete:
c:\program files\SeekeenSrc
c:\documents and settings\All Users\Application Data\SeekeenSrch
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, open the avenger folder and start The Avenger program by clicking on its icon.
Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
The log is below:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "SeekeenSrch Service" deleted successfully.
Error: file "c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" not found!
Deletion of file "c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\program files\SeekeenSrch\seekeen.dll" not found!
Deletion of file "c:\program files\SeekeenSrch\seekeen.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: folder "c:\program files\SeekeenSrc" not found!
Deletion of folder "c:\program files\SeekeenSrc" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Folder "c:\documents and settings\All Users\Application Data\SeekeenSrch" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Blottedisk
2011-03-23, 22:03
Hi,
We are almost done. Please follow these steps:
Step 1 | Please download CCleaner (freeware) (http://www.majorgeeks.com/download4191.html)
Run the installer.
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:
http://i210.photobucket.com/albums/bb164/jedi_030/CCleanerA.png
Next: click Options (in the left panel) and click the Advanced button.
Uncheck: "Only delete files in Windows Temp folders older than 24 hours."
Go back to Cleaner (in the left panel) and click the Run Cleaner button (bottom right). Then exit CCleaner.
Step 2 | Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Step 2 | Let's perform an ESET Online Scan
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html).
Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif (Selecting Uninstall application on close if you so wish)
Malwarebytes log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6145
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
3/23/2011 3:19:20 PM
mbam-log-2011-03-23 (15-19-20).txt
Scan type: Quick scan
Objects scanned: 169702
Time elapsed: 2 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ESET Log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=f89f305cd61a8c4fba821cdb2a1d409e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-23 10:00:15
# local_time=2011-03-23 05:00:15 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 3634166 3634166 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=148397
# found=12
# cleaned=0
# scan_time=5525
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch9.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\J\My Documents\Downloads\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\JoAnne\Application Data\BfgBar\feeds\bigfishgames.xml Win32/Adware.SpywareProtect2009 application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\JoAnne\Application Data\BfgBar\feeds\newgames.xml Win32/Adware.SpywareProtect2009 application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\JoAnne\Application Data\BfgBar\feeds\topgames.xml Win32/Adware.SpywareProtect2009 application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\JoAnne\Application Data\BfgBar\feeds\whatsnew.xml Win32/Adware.SpywareProtect2009 application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pciide.sys.vir Win32/Olmarik.ZC trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{5D0DEC44-44F8-4608-83E1-764F13030D1D}\RP1\A0000033.sys Win32/Olmarik.ZC trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{5D0DEC44-44F8-4608-83E1-764F13030D1D}\RP11\A0002196.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Jdusuyagasuti.dat Win32/Adware.SpywareProtect2009 application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\oqazifowasi.dll Win32/Adware.SpywareProtect2009 application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\usafuxuzed.dll Win32/Adware.SpywareProtect2009 application (unable to clean) 00000000000000000000000000000000 I
Blottedisk
2011-03-24, 15:26
Hi,
ESET found some more malware to remove. Please do the following:
WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
Please open Notepad and copy/paste all the text below... into the window:
File::
C:\Documents and Settings\JoAnne\Application Data\BfgBar\feeds\bigfishgames.xml
C:\Documents and Settings\JoAnne\Application Data\BfgBar\feeds\newgames.xml
C:\Documents and Settings\JoAnne\Application Data\BfgBar\feeds\topgames.xml
C:\Documents and Settings\JoAnne\Application Data\BfgBar\feeds\whatsnew.xml
C:\WINDOWS\Jdusuyagasuti.dat
C:\WINDOWS\oqazifowasi.dll
C:\WINDOWS\usafuxuzed.dll
Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif
This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply.
** Enable your Antivirus and Firewall, before connecting to the Internet again! **
The log:
ComboFix 11-03-23.01 - J 03/24/2011 8:37.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.629 [GMT -5:00]
Running from: c:\documents and settings\J\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\J\My Documents\Downloads\CFScript.txt
.
FILE ::
"c:\documents and settings\JoAnne\Application Data\BfgBar\feeds\bigfishgames.xml"
"c:\documents and settings\JoAnne\Application Data\BfgBar\feeds\newgames.xml"
"c:\documents and settings\JoAnne\Application Data\BfgBar\feeds\topgames.xml"
"c:\documents and settings\JoAnne\Application Data\BfgBar\feeds\whatsnew.xml"
"c:\windows\Jdusuyagasuti.dat"
"c:\windows\oqazifowasi.dll"
"c:\windows\usafuxuzed.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\JoAnne\Application Data\BfgBar\feeds\bigfishgames.xml
c:\documents and settings\JoAnne\Application Data\BfgBar\feeds\newgames.xml
c:\documents and settings\JoAnne\Application Data\BfgBar\feeds\topgames.xml
c:\documents and settings\JoAnne\Application Data\BfgBar\feeds\whatsnew.xml
c:\windows\Jdusuyagasuti.dat
c:\windows\oqazifowasi.dll
c:\windows\usafuxuzed.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-24 to 2011-03-24 )))))))))))))))))))))))))))))))
.
.
2011-03-23 20:25 . 2011-03-23 20:25 -------- d-----w- c:\program files\ESET
2011-03-23 20:15 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-23 20:15 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-23 20:09 . 2011-03-23 20:09 -------- d-----w- c:\program files\CCleaner
2011-03-23 02:30 . 2011-03-23 02:30 -------- d-----w- c:\documents and settings\J\Local Settings\Application Data\AVG Security Toolbar
2011-03-22 13:40 . 2011-03-22 13:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 22:48 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-10 11:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2008-10-16 04:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-10-16 04:48 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2011-03-23_14.36.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-23 19:52 . 2011-03-23 19:52 16384 c:\windows\Temp\Perflib_Perfdata_104.dat
+ 2011-03-24 07:53 . 2011-03-24 07:53 1576 c:\windows\SoftwareDistribution\EventCache\{EC0DC6AA-9DAD-4291-A847-FEFEF4A93203}.bin
+ 2010-09-17 16:55 . 2011-03-23 20:09 3330048 c:\windows\system32\config\systemprofile\ntuser.dat
- 2010-09-17 16:55 . 2010-09-17 16:55 3330048 c:\windows\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
.
c:\documents and settings\JoAnne\Start Menu\Programs\Startup\
iWin Desktop Alerts.lnk - c:\documents and settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [N/A]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2005-05-19 16:54 1345520 ----a-w- c:\windows\system32\CTMBHA.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-23 00:40 24576 ----a-w- c:\windows\MIDIDEF.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"gupdate1c9b6296af48476"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 X4HS32Ex;X4HS32Ex;c:\program files\Free Ride Games\X4HS32Ex.sys [3/15/2010 11:09 AM 53280]
R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [4/16/2010 6:53 PM 56352]
S2 gupdate1c9b6296af48476;Google Update Service (gupdate1c9b6296af48476);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 3:02 PM 133104]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\J\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\J\LOCALS~1\Temp\CFcatchme.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-03-24 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
.
2011-03-24 c:\windows\Tasks\User_Feed_Synchronization-{D019EACA-BB13-46C6-A08A-1B23C328FB16}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
TCP: {765C18A5-C191-4DBC-8A3D-878975069E64} = 192.168.1.254
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\645nbkj0.default\
FF - Ext: RealArcade V3.1 Plugin: npmozax31@real.com - c:\program files\Mozilla Firefox\extensions\npmozax31@real.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-24 08:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-03-24 08:44:32
ComboFix-quarantined-files.txt 2011-03-24 13:44
ComboFix2.txt 2011-03-23 18:43
ComboFix3.txt 2011-03-23 14:37
ComboFix4.txt 2011-03-23 01:55
.
Pre-Run: 73,559,306,240 bytes free
Post-Run: 73,547,337,728 bytes free
.
- - End Of File - - C581EC8618CE2E7EE5DE6BFA7ACBC182
Blottedisk
2011-03-24, 21:21
Hi Sam,
How's the machine working?
We need to get rid of one last Firefox extension. Please follow this procedure:
1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Folders to delete:
c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, open the avenger folder and start The Avenger program by clicking on its icon.
Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under
the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers
to Disable", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This logfile will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and
moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This logfile will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
Blottedisk,
Thinks are much, much better on the PC. The Rootkit was killing me. Please accept my sincere thanks for all your help.
Here is the Avenger log:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Folder "c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Blottedisk
2011-03-24, 22:44
Hi sam,
You are very welcome. Congratulations, we are done :bigthumb:
Please follow these last steps:
Step 1 | Delete ComboFix and Clean Up
The following will implement some cleanup procedures as well as reset System Restore points. Click Start > Run and copy/paste the following underlined text into the Run box and click OK:
ComboFix /Uninstall
Please advise if this step is missed for any reason as it performs some important actions.
Step 2 | Please download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe ) to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
Step 3 | Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
Download the latest version of Adobe Reader Version X (http://get.adobe.com/reader/?promoid=BUIGO ). and save it to your desktop.
Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered.
Click the download button at the bottom.
If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
If you are unsure of how to use Add or Remove Programs, the please see this tutorial: How To Remove An Installed Program From Your Computer (http://www.bleepingcomputer.com/forums/topic42133.html )
Then from your desktop double-click on Adobe Reader to install the newest version.
If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the "Adobe Setup - Welcome" window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Once the installation is finished, open Adobe Reader and accept the warranty if prompted.
Click on Help and select Check for Updates.
A window will open and Adobe will check for Updates. If any updates are found to be available click on Download.
Once the update is downloaded you will get a system notification telling you so. Click on the popup to restore the window.
In the window that opens click Install.
Once the update is done click Close.
Your Adobe Reader is updated now.
Step 4 | Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Click on the following link to visit java website: Java Runtime Environment (JRE) 6 (http://www.oracle.com/technetwork/java/javase/downloads/index.html )
Scroll down to where it says "JDK 6 Update 24 (JDK or JRE)".
Click the "Download" button to the right column (JRE).
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue. The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the recently downloaded java installer icon to install the newest version.
After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
Applications and AppletsTrace and Log Files
Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.
Last Step | Now, in order to avoid future infections, please take time to read the following article:
So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279 )
Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed :)
I uninstalled ComboFix, ran OTC, updated Adobe and Java.
Thanks again for all your help. Please close the thread.
Blottedisk
2011-03-25, 08:54
You are welcome :)
Since this issue appears to be resolved, this Topic will be closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.