-
Malware/Browser Hijack
Windows XP SP 3
Clicks on Google searches get redirected to other search sites and the Spybot executable doesn't run unless I rename it - even in safe mode. I have AVG Free installed but the control panel won't let me uninstall it. I'm guessing that something is killing the uninstall process just like when SpyBot is started.
I have run several AVG and Spybot scans as well as Malware-bytes Anti-Malware and removed some of the worst offenders.
Thanks for your help.
DDS Log:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by J at 11:45:18.26 on Tue 03/22/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.473 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\J\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {399C60D2-38B1-4E25-B9E7-6498C1BC2DCD} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CE0C2586-DA36-452B-ACDB-320D9BCB19BF} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224210243328
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
TCP: {765C18A5-C191-4DBC-8A3D-878975069E64} = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\j\applic~1\mozilla\firefox\profiles\645nbkj0.default\
FF - component: c:\documents and settings\j\application data\mozilla\firefox\profiles\645nbkj0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\j\application data\mozilla\firefox\profiles\645nbkj0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\free ride games\npExentCtl.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - Ext: RealArcade V3.1 Plugin: npmozax31@real.com - c:\program files\mozilla firefox\extensions\npmozax31@real.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\mozilla firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6} - c:\documents and settings\joanne\local settings\application data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 X4HS32Ex;X4HS32Ex;c:\program files\free ride games\X4HS32Ex.sys [2010-3-15 53280]
R2 X4HSEx;X4HSEx;c:\program files\free ride games\X4HSEx.sys [2010-4-16 56352]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
S2 gupdate1c9b6296af48476;Google Update Service (gupdate1c9b6296af48476);c:\program files\google\update\GoogleUpdate.exe [2009-4-5 133104]
S4 SeekeenSrch Service;SeekeenSrch Service;"c:\documents and settings\all users\application data\seekeensrch\seekeen155.exe" "c:\program files\seekeensrch\seekeen.dll" service --> c:\documents and settings\all users\application data\seekeensrch\seekeen155.exe [?]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2010-08-10 02:17:50 464 ----a-w- c:\program files\0809201021175065.bat
2010-04-15 02:20:24 458 ----a-w- c:\program files\0414201021202447.bat
2010-04-15 02:19:27 453 ----a-w- c:\program files\0414201021192699.bat
2010-04-03 20:36:04 469 ----a-w- c:\program files\0403201015360422.bat
2010-03-18 12:42:55 455 ----a-w- c:\program files\031820107425510.bat
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8670CEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8462f872; SUB DWORD [EBP-0x4], 0x8462f12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86789AB8]
3 CLASSPNP[0xF7652FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x867DF350]
[0x85DC9F38] -> IRP_MJ_CREATE -> 0x8670CEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskARRAY1.0.00__#4&295c5a3a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x8670CAEA
user & kernel MBR OK
sectors 312494078 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:46:55.76 ===============
-
Hi iamsam,
Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.
- Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
- Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.
Please follow these steps in order:
Step 1 | Please download GMER from one of the following locations and save it to your desktop:
Main Mirror - This version will download a randomly named file (Recommended)
Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
--------------------------------------------------------------------
- Disconnect from the Internet and close all running programs.
- Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
- Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
http://img.photobucket.com/albums/v6...s/gmer_zip.gif
- GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
- If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
- Make sure all options are checked except:
- IAT/EAT
- Drives/Partition other than Systemdrive, which is typically C:\
- Show All (This is important, so do not miss it.)
http://i582.photobucket.com/albums/s...ER/gmer_th.gif
Click the image to enlarge it
- Now click the Scan button. If you see a rootkit warning window, click OK.
- When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
- Click the Copy button and paste the results into your next reply.
- Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Step 2 | This next program is needed to remove the main infection in your system. However...AVG incorrectly targets ComboFix's embedded files. ComboFix will not run with AVG installed. Please uninstall AVG before continuing. You can reinstall it, or another antivirus such as Avira or avast!, after we've used ComboFix to clear the remaining infection.
After uninstalling AVG from the Control Panel, also run the AVG remover from their site.
http://www.avg.com/us-en/download-tools
direct link to the AVG Remover:
http://download.avg.com/filedir/util..._2011_1149.exe
You may also use this tool to uninstall AVG:
http://www.appremover.com/appremover/avg/AppRemover.exe
Instructions:
http://www.appremover.com/about/using-appremover.html
After uninstalling AVG, download Combofix from any of the links below, rename it to and save it to your desktop.
Link 1
Link 2
--------------------------------------------------------------------
- Double click on Combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
- Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
- Click on Yes, to continue scanning for malware.
- When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If you need help, see this link:
http://www.bleepingcomputer.com/comb...o-use-combofix
-
GMER and Combofix logs
GMER:
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-22 20:20:50
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 Intel___ rev.1.0.
Running: qxmkmllz.exe; Driver: C:\DOCUME~1\J\LOCALS~1\Temp\ugtdypog.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF76D46C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF76D4770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF76D4810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF76D48B0]
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xF7BDA814]
init C:\WINDOWS\system32\drivers\sigfilt.sys entry point in "init" section [0xEDE00F80]
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \FileSystem\Fastfat \Fat AD0AFD20
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskARRAY1.0.00__#4&295c5a3a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Classes\CLSID\{1830703E-16FA-AF27-4198-5871D9F7105F}\InprocServer32@ C:\Program Files\Common Files\System\ado\msado15.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{1830703E-16FA-AF27-4198-5871D9F7105F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{1830703E-16FA-AF27-4198-5871D9F7105F}\ProgID@ ADODB.Connection.2.8
Reg HKLM\SOFTWARE\Classes\CLSID\{1830703E-16FA-AF27-4198-5871D9F7105F}\VersionIndependentProgID@ ADODB.Connection
Reg HKLM\SOFTWARE\Classes\CLSID\{2B84ADD1-0082-CC00-40DE-0ED6DEEFC743}\InProcServer32@ C:\WINDOWS\system32\oleacc.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{2B84ADD1-0082-CC00-40DE-0ED6DEEFC743}\InProcServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{2C964540-F22E-5AC5-FABA-65B44C88E125}\xmlparse@classid 4107.11647.12889
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\AuxUserType\2
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\AuxUserType\2@ Media Clip
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\DefaultSet
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\DefaultSet@ MPlayer
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\0
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\0@ Embed Source,1,8,1
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\1
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\1@ 3,1,32,1
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\2
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DataFormats\GetSet\2@ 8,1,1,1
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\DefaultIcon@ mplay32.exe,1
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\Insertable@
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\LocalServer@ mplay32.exe
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\LocalServer32@ mplay32.exe
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\MiscStatus@ 0
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\ProgID@ MPlayer
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\0
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\0@ &Play,0,3
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\1
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\1@ &Edit,0,2
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\2
Reg HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\verb\2@ &Open,0,2
Reg HKLM\SOFTWARE\Classes\CLSID\{44C77CC3-DCA2-276F-7380-2B53C8A40B8A}\InprocServer32@ C:\Program Files\Roxio\Roxio MyDVD DE\VideoCore 9\sonicmcdsdv.ax
Reg HKLM\SOFTWARE\Classes\CLSID\{44C77CC3-DCA2-276F-7380-2B53C8A40B8A}\InprocServer32@InprocServer32 J$Dqm!w@u8}RxYo+r2zyDVDBuilder>1C!E9NrB.9iy@yTjW`Fo?
Reg HKLM\SOFTWARE\Classes\CLSID\{44C77CC3-DCA2-276F-7380-2B53C8A40B8A}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\InprocServer32@ c:\Program Files\RealArcade\RAComponents.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\InprocServer32@ThreadingModel both
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\ProgID@ RAComponents.RALocalizedString.1
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\TypeLib@ {C9BCE66F-FB3A-4985-9A96-DEDED07CF78D}
Reg HKLM\SOFTWARE\Classes\CLSID\{5385DE0E-A1E8-AFC7-5A28-4AC47358C6AC}\VersionIndependentProgID@ RAComponents.RALocalizedString
Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InProcServer32@ shell32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\shellex\ExtShellFolderViews
Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\shellex\ExtShellFolderViews\{5984FFE0-28D4-11CF-AE66-08002B2E1262}
Reg HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\shellex\ExtShellFolderViews\{5984FFE0-28D4-11CF-AE66-08002B2E1262}@PersistMoniker file://%userappdata%\Microsoft\Internet Explorer\Desktop.htt
Reg HKLM\SOFTWARE\Classes\CLSID\{64F11DA5-EE83-95FF-0379-7EBCB11ECFC6}\InprocServer@ avifile.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{64F11DA5-EE83-95FF-0379-7EBCB11ECFC6}\InprocServer32@ avifil32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{64F11DA5-EE83-95FF-0379-7EBCB11ECFC6}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{735DD9C0-EDAC-6F43-8FCE-B11199EFB166}\LocalServer32@ C:\PROGRA~1\Roxio\ROXIOM~1\INSTAL~1\Driver\1050\INTEL3~1\IDriverT.exe
Reg HKLM\SOFTWARE\Classes\CLSID\{735DD9C0-EDAC-6F43-8FCE-B11199EFB166}\ProgID@ IDriverT.RotService.1
Reg HKLM\SOFTWARE\Classes\CLSID\{735DD9C0-EDAC-6F43-8FCE-B11199EFB166}\TypeLib@ {7EC41441-2247-4DEC-BBFB-9E798627A17B}
Reg HKLM\SOFTWARE\Classes\CLSID\{735DD9C0-EDAC-6F43-8FCE-B11199EFB166}\VersionIndependentProgID@ IDriverT.RotService
Reg HKLM\SOFTWARE\Classes\CLSID\{74CDC428-E84E-282E-D272-21B4E2E1645E}\InprocServer@ ole2disp.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{74CDC428-E84E-282E-D272-21B4E2E1645E}\InprocServer32@ oleaut32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{74CDC428-E84E-282E-D272-21B4E2E1645E}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{74CDC428-E84E-282E-D272-21B4E2E1645E}\InprocServer32@InprocServer32 J$Dqm!w@u8}RxYo+r2zyMandatory>M5KDYSUnf(HA*L[xeX)y?
Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\InprocServer32@ C:\Program Files\Roxio\Roxio MyDVD DE\VideoCore 9\RMFMediaObjects.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\ProgID@ RMFMediaObjects3.VCGFrameGrabber9.1
Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\TypeLib@ {E5DAF394-09A5-4879-ABC0-2A3E92A7CBF1}
Reg HKLM\SOFTWARE\Classes\CLSID\{7F15A505-F648-4D12-3521-E955BD5A5D8B}\VersionIndependentProgID@ RMFMediaObjects3.VCGFrameGrabber9
Reg HKLM\SOFTWARE\Classes\CLSID\{95444DCD-256E-7BCA-1176-39E0E2F16C29}\InprocServer32@ C:\PROGRA~1\NETMEE~1\rrcm.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{95444DCD-256E-7BCA-1176-39E0E2F16C29}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{95444DCD-256E-7BCA-1176-39E0E2F16C29}\ProgID@ RTP.RTP.1
Reg HKLM\SOFTWARE\Classes\CLSID\{95444DCD-256E-7BCA-1176-39E0E2F16C29}\VersionIndependentProgID@ RTP.RTP
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{60A8075E-1422-B512-3767-A488F5C2A32C}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{611BF4E5-A0AA-3ADF-9B9D-5298A6A5BD05}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{622E5117-EFA1-1C70-66E1-1FF740D253FB}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{63FB4621-00E3-3127-D4B3-0F2BDEF38813}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{64A91B17-A059-F980-B4B6-C094CFB288BA}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{654F2EB9-27D5-A54B-DB01-EBBA951840A3}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{663078EC-1F0E-600E-01CD-912DD4FE5BB0}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{6751DF04-A4C0-B296-90E9-2FAE8C85E97E}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Implemented Categories\{6974B180-0477-EABB-461E-0D5F20BA0F51}
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@RuntimeVersion v2.0.50727
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@Assembly AspNetMMCExt, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@Class Microsoft.Aspnet.Snapin.AspNetManagementUtility
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@ mscoree.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32\2.0.0.0
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32\2.0.0.0@RuntimeVersion v2.0.50727
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32\2.0.0.0@Assembly AspNetMMCExt, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32\2.0.0.0@Class Microsoft.Aspnet.Snapin.AspNetManagementUtility
Reg HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\ProgId@ Microsoft.Aspnet.Snapin.AspNetManagementUtility.2
Reg HKLM\SOFTWARE\Classes\CLSID\{B8F88168-4D43-0124-45EC-B04D34317605}\InprocServer32@ C:\WINDOWS\system32\scrobj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{B8F88168-4D43-0124-45EC-B04D34317605}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{B8F88168-4D43-0124-45EC-B04D34317605}\ProgID@ ScriptletHandler.ASP
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.aif
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.aifc
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.aiff
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.mov
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.qt
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.ra
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.ram
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.rm
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\.rmm
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME\audio/aiff
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME\audio/x-aiff
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME\audio/x-pn-realaudio
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\EnablePlugin\MIME\video/quicktime
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\InprocServer32@ C:\WINDOWS\system32\Msdxm6.ocx
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\MiscStatus@ 0
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\MiscStatus\1
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\MiscStatus\1@ 131473
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\ProgID@ AMOVIE.ActiveMovieControl.2
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\ToolboxBitmap32@ C:\WINDOWS\system32\Msdxm6.ocx, 1
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\TypeLib@ {05589fa0-c356-11ce-bf01-00aa0055595a}
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\Version@ 2.0
Reg HKLM\SOFTWARE\Classes\CLSID\{D5A88BD5-177B-FB58-3E31-F41DB892DA9A}\VersionIndependentProgID@ AMOVIE.ActiveMovieControl
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@ mscoree.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@Class RecordingObjects.RecordingCompletedEventLogEntry
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@Assembly ehRecObj, Version=6.0.3000.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32@CodeBase file:///C:/WINDOWS/eHome/ehRecObj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0@Class RecordingObjects.RecordingCompletedEventLogEntry
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0@Assembly ehRecObj, Version=6.0.3000.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\InprocServer32\6.0.3000.0@CodeBase file:///C:/WINDOWS/eHome/ehRecObj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{DCF7D047-10D7-4594-22FB-090875443A25}\ProgId@ RecordingObjects.RecordingCompletedEventLogEntry
Reg HKLM\SOFTWARE\Classes\CLSID\{EFAF8B52-112F-89D1-B35D-4F17650DEAB6}\InprocServer32@ C:\WINDOWS\system32\quartz.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{EFAF8B52-112F-89D1-B35D-4F17650DEAB6}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{320092EB-E50F-57BE-A0AB-CE07175496A7}
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{335E72A0-8BF3-7B9C-F3C0-EA43C7629793}
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{349CF325-DE89-0627-FF71-904851A913A1}
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{3594C6AD-F011-9DE5-00DC-0E434A40BD32}
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{36640083-5D89-0425-38C0-110541F1BC9A}
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\Implemented Categories\{376B75CA-E248-5974-5D50-0545151BBFC4}
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\InprocServer32@ C:\WINDOWS\system32\wmpsrcwp.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{FB0FD391-A1B5-40AB-4BE2-ECF7544E0DD7}\InprocServer32@ThreadingModel Both
---- Files - GMER 1.0.15 ----
ADS C:\Program Files\Retro64 Games\mystery_stories:_berlin_nights.exe 70049792 bytes executable
ADS C:\Program Files\Retro64 Games\mystery_stories:_berlin_nights.exe 0 bytes executable
ADS C:\Program Files\Retro64 Games\mystery_stories:_berlin_nights.exe 0 bytes executable
File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Combofix:
ComboFix 11-03-22.04 - J 03/22/2011 20:46:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.697 [GMT -5:00]
Running from: c:\documents and settings\J\My Documents\Downloads\jComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\J\Application Data\PriceGong
c:\documents and settings\J\Application Data\PriceGong\Data\1.xml
c:\documents and settings\J\Application Data\PriceGong\Data\a.xml
c:\documents and settings\J\Application Data\PriceGong\Data\b.xml
c:\documents and settings\J\Application Data\PriceGong\Data\c.xml
c:\documents and settings\J\Application Data\PriceGong\Data\d.xml
c:\documents and settings\J\Application Data\PriceGong\Data\e.xml
c:\documents and settings\J\Application Data\PriceGong\Data\f.xml
c:\documents and settings\J\Application Data\PriceGong\Data\g.xml
c:\documents and settings\J\Application Data\PriceGong\Data\h.xml
c:\documents and settings\J\Application Data\PriceGong\Data\i.xml
c:\documents and settings\J\Application Data\PriceGong\Data\J.xml
c:\documents and settings\J\Application Data\PriceGong\Data\k.xml
c:\documents and settings\J\Application Data\PriceGong\Data\l.xml
c:\documents and settings\J\Application Data\PriceGong\Data\m.xml
c:\documents and settings\J\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\J\Application Data\PriceGong\Data\n.xml
c:\documents and settings\J\Application Data\PriceGong\Data\o.xml
c:\documents and settings\J\Application Data\PriceGong\Data\p.xml
c:\documents and settings\J\Application Data\PriceGong\Data\q.xml
c:\documents and settings\J\Application Data\PriceGong\Data\r.xml
c:\documents and settings\J\Application Data\PriceGong\Data\s.xml
c:\documents and settings\J\Application Data\PriceGong\Data\t.xml
c:\documents and settings\J\Application Data\PriceGong\Data\u.xml
c:\documents and settings\J\Application Data\PriceGong\Data\v.xml
c:\documents and settings\J\Application Data\PriceGong\Data\w.xml
c:\documents and settings\J\Application Data\PriceGong\Data\x.xml
c:\documents and settings\J\Application Data\PriceGong\Data\y.xml
c:\documents and settings\J\Application Data\PriceGong\Data\z.xml
c:\documents and settings\JoAnne\Application Data\PriceGong
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\1.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\a.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\b.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\c.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\d.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\e.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\f.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\g.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\h.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\i.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\J.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\k.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\l.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\m.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\n.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\o.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\p.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\q.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\r.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\s.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\t.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\u.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\v.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\w.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\x.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\y.xml
c:\documents and settings\JoAnne\Application Data\PriceGong\Data\z.xml
c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}
c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}\chrome.manifest
c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}\chrome\content\_cfg.js
c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}\chrome\content\overlay.xul
c:\documents and settings\JoAnne\Local Settings\Application Data\{1C3B3158-DAB3-4DA1-BCB8-2B1436074CC6}\install.rdf
C:\Install.exe
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\iWin\tbiWi1.dll
c:\windows\system32\Data
.
Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-22 14:08 . 2011-03-22 14:08 -------- d-----w- c:\program files\ERUNT
2011-03-22 13:40 . 2011-03-22 13:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-08 19:58 . 2011-02-08 19:58 388096 ----a-r- c:\documents and settings\J\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-10 02:17 . 2010-08-10 02:17 464 ----a-w- c:\program files\0809201021175065.bat
2010-04-15 02:20 . 2010-04-15 02:20 458 ----a-w- c:\program files\0414201021202447.bat
2010-04-15 02:19 . 2010-04-15 02:19 453 ----a-w- c:\program files\0414201021192699.bat
2010-04-03 20:36 . 2010-04-03 20:36 469 ----a-w- c:\program files\0403201015360422.bat
2010-03-18 12:42 . 2010-03-18 12:42 455 ----a-w- c:\program files\031820107425510.bat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
.
c:\documents and settings\JoAnne\Start Menu\Programs\Startup\
iWin Desktop Alerts.lnk - c:\documents and settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [N/A]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2005-05-19 16:54 1345520 ----a-w- c:\windows\system32\CTMBHA.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-23 00:40 24576 ----a-w- c:\windows\MIDIDEF.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"gupdate1c9b6296af48476"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 X4HS32Ex;X4HS32Ex;c:\program files\Free Ride Games\X4HS32Ex.sys [3/15/2010 11:09 AM 53280]
R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [4/16/2010 6:53 PM 56352]
S2 gupdate1c9b6296af48476;Google Update Service (gupdate1c9b6296af48476);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 3:02 PM 133104]
S4 SeekeenSrch Service;SeekeenSrch Service;"c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" "c:\program files\SeekeenSrch\seekeen.dll" Service --> c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-02-01 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
.
2011-03-23 c:\windows\Tasks\User_Feed_Synchronization-{D019EACA-BB13-46C6-A08A-1B23C328FB16}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
TCP: {765C18A5-C191-4DBC-8A3D-878975069E64} = 192.168.1.254
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\645nbkj0.default\
FF - Ext: RealArcade V3.1 Plugin: npmozax31@real.com - c:\program files\Mozilla Firefox\extensions\npmozax31@real.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{399C60D2-38B1-4E25-B9E7-6498C1BC2DCD} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
MSConfigStartUp-013f74406cf06ba257e3b7572429f7a5 - c:\docume~1\JoAnne\Desktop\SKIP-B~1.EXE
MSConfigStartUp-Creative Detector - c:\program files\Creative\MediaSource\Detector\CTDetect.exe
MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
MSConfigStartUp-Exetender - c:\program files\Free Ride Games\GPlayer.exe
MSConfigStartUp-Gzizefameteqa - c:\windows\enakagupiseriyo.dll
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-Internet Antivirus Pro - c:\program files\Internet Antivirus Pro\IAPro.exe
MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
MSConfigStartUp-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
MSConfigStartUp-Jmowujagedeyoxi - c:\windows\mcbMBU.dll
MSConfigStartUp-Microsoft Windows logon process - c:\documents and settings\JoAnne\Application Data\Microsoft\Windows\winlogon.exe
MSConfigStartUp-rillixcs - c:\docume~1\JoAnne\LOCALS~1\Temp\jvsxmkoxy\bajctmiyhsn.exe
MSConfigStartUp-SearchEngineProtection - c:\program files\Gamesbar\SearchEngineProtection.exe
MSConfigStartUp-VoiceCenter - c:\program files\Creative\VoiceCenter\AndreaVC.exe
MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe
MSConfigStartUp-{143B3226-02CE-A020-A3BE-3108B7F2A074} - c:\documents and settings\JoAnne\Application Data\Epfaez\kydy.exe
MSConfigStartUp-{BC1335DB-6FF8-65FB-680A-E73CB69796AC} - c:\documents and settings\JoAnne\Application Data\Usen\negi.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 20:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-03-22 20:55:00
ComboFix-quarantined-files.txt 2011-03-23 01:54
.
Pre-Run: 71,095,001,088 bytes free
Post-Run: 71,253,016,576 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - F2EF9C629EF00870D49E484D1084574F
I think this may have fixed it. Please let me know if there's anything else.
Thanks!!
-
Hi iamsam,
A good part of the main infection has been removed, although I suspect there's still more in there. Let me tell you that unfortunately your computer appears to have been infected by the TDL3 backdoor infection. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
- Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
paypal, ebay, etc. You should also change the passwords for any other site you use. - Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
credit card information may have been stolen and ask what steps to take with regard to your account. - Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the
system partition and reinstalling Windows as this is the only 100% sure answer.You should not be following fixes in another threads as
those fixes are specifically for those computers.
Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall?
Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:
Step 1 | I notice you have games from Free Ride Games installed in your machine. There are some comments from the WOT (Web of trust Community) that relate this developer with certain infections. See here:
http://www.mywot.com/es/scorecard/freeridegames.com
Have you installed these games? Let's upload some of their files to check. Please go to the following site to scan a file: Virus Total
- Click on Browse, and upload the following files for analysis:
- c:\program files\Free Ride Games\X4HS32Ex.sys
c:\program files\Free Ride Games\X4HSEx.sys
- Then click Submit. Allow the files to be scanned, and then please copy and paste the results here for me to see.
- If it says already scanned -- click "reanalyze now"
- Please post the results in your next reply.
Step 2 | Close any open browsers. Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.
- Please open Notepad.
- In Notepad, Click "Format" and be certain that Word Wrap is not checked.
- Copy and paste all the all of the text in the code box below into the Notepad, (including the URL). Do Not copy the word CODE:
Code:
http://forums.spybot.info/showthread.php?p=398466
Collect::
c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
c:\program files\SeekeenSrch\seekeen.dll
Driver:
SeekeenSrch Service
DDS::
FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
- In the notepad click File, Save as..., and set the Save in to your Desktop
- In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
- Click save.
- Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.
- This will start ComboFix again.Close all browser/windows first.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
http://img.photobucket.com/albums/v6...FScriptB-4.gif
**Note: When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
Please post back including the Combofix log.
-
Logs as requested
I would like to see if we can clean this up. I'm doing this for a relative and I'd like to avoid an OS install if possible.
VirusTotal logs: (I'll probably uninstall the Free Ride games once everything is cleaned up)
user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
X4HS32Ex.sys
Submission date:
2011-03-23 14:01:22 (UTC)
Current status:
queued (#1) queued (#1) analysing finished
Result:
0/ 41 (0.0%)
VT Community
not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.23.01 2011.03.23 -
AntiVir 7.11.5.44 2011.03.23 -
Antiy-AVL 2.0.3.7 2011.03.22 -
Avast 4.8.1351.0 2011.03.23 -
Avast5 5.0.677.0 2011.03.23 -
AVG 10.0.0.1190 2011.03.23 -
BitDefender 7.2 2011.03.23 -
CAT-QuickHeal 11.00 2011.03.23 -
ClamAV 0.96.4.0 2011.03.23 -
Commtouch 5.2.11.5 2011.03.22 -
Comodo 8075 2011.03.23 -
DrWeb 5.0.2.03300 2011.03.23 -
eSafe 7.0.17.0 2011.03.22 -
eTrust-Vet 36.1.8231 2011.03.23 -
F-Prot 4.6.2.117 2011.03.22 -
F-Secure 9.0.16440.0 2011.03.23 -
Fortinet 4.2.254.0 2011.03.23 -
GData 21 2011.03.23 -
Ikarus T3.1.1.97.0 2011.03.23 -
Jiangmin 13.0.900 2011.03.23 -
K7AntiVirus 9.94.4188 2011.03.23 -
McAfee 5.400.0.1158 2011.03.23 -
McAfee-GW-Edition 2010.1C 2011.03.23 -
Microsoft 1.6603 2011.03.23 -
NOD32 5977 2011.03.23 -
Norman 6.07.03 2011.03.22 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.23 -
PCTools 7.0.3.5 2011.03.21 -
Prevx 3.0 2011.03.23 -
Rising 23.50.01.06 2011.03.22 -
Sophos 4.63.0 2011.03.23 -
SUPERAntiSpyware 4.40.0.1006 2011.03.23 -
Symantec 20101.3.0.103 2011.03.23 -
TheHacker 6.7.0.1.155 2011.03.23 -
TrendMicro 9.200.0.1012 2011.03.23 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.23 -
VBA32 3.12.14.3 2011.03.23 -
VIPRE 8792 2011.03.23 -
ViRobot 2011.3.23.4372 2011.03.23 -
VirusBuster 13.6.265.0 2011.03.23 -
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
X4HSEx.sys
Submission date:
2011-03-23 14:02:42 (UTC)
Current status:
queued queued (#2) analysing finished
Result:
0/ 43 (0.0%)
VT Community
not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.23.01 2011.03.23 -
AntiVir 7.11.5.44 2011.03.23 -
Antiy-AVL 2.0.3.7 2011.03.22 -
Avast 4.8.1351.0 2011.03.23 -
Avast5 5.0.677.0 2011.03.23 -
AVG 10.0.0.1190 2011.03.23 -
BitDefender 7.2 2011.03.23 -
CAT-QuickHeal 11.00 2011.03.23 -
ClamAV 0.96.4.0 2011.03.23 -
Commtouch 5.2.11.5 2011.03.22 -
Comodo 8075 2011.03.23 -
DrWeb 5.0.2.03300 2011.03.23 -
Emsisoft 5.1.0.4 2011.03.23 -
eSafe 7.0.17.0 2011.03.22 -
eTrust-Vet 36.1.8231 2011.03.23 -
F-Prot 4.6.2.117 2011.03.22 -
F-Secure 9.0.16440.0 2011.03.23 -
Fortinet 4.2.254.0 2011.03.23 -
GData 21 2011.03.23 -
Ikarus T3.1.1.97.0 2011.03.23 -
Jiangmin 13.0.900 2011.03.23 -
K7AntiVirus 9.94.4188 2011.03.23 -
Kaspersky 7.0.0.125 2011.03.23 -
McAfee 5.400.0.1158 2011.03.23 -
McAfee-GW-Edition 2010.1C 2011.03.23 -
Microsoft 1.6603 2011.03.23 -
NOD32 5977 2011.03.23 -
Norman 6.07.03 2011.03.22 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.23 -
PCTools 7.0.3.5 2011.03.21 -
Prevx 3.0 2011.03.23 -
Rising 23.50.01.06 2011.03.22 -
Sophos 4.63.0 2011.03.23 -
SUPERAntiSpyware 4.40.0.1006 2011.03.23 -
Symantec 20101.3.0.103 2011.03.23 -
TheHacker 6.7.0.1.155 2011.03.23 -
TrendMicro 9.200.0.1012 2011.03.23 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.23 -
VBA32 3.12.14.3 2011.03.23 -
VIPRE 8792 2011.03.23 -
ViRobot 2011.3.23.4372 2011.03.23 -
VirusBuster 13.6.265.0 2011.03.23 -
ComboFix Log:
ComboFix 11-03-22.09 - J 03/23/2011 9:31.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.643 [GMT -5:00]
Running from: c:\documents and settings\J\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\J\My Documents\Downloads\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-23 02:30 . 2011-03-23 02:30 -------- d-----w- c:\documents and settings\J\Local Settings\Application Data\AVG Security Toolbar
2011-03-23 02:04 . 2011-03-23 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-22 13:40 . 2011-03-22 13:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 22:48 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-10 11:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2008-10-16 04:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-10-16 04:48 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-08-10 02:17 . 2010-08-10 02:17 464 ----a-w- c:\program files\0809201021175065.bat
2010-04-15 02:20 . 2010-04-15 02:20 458 ----a-w- c:\program files\0414201021202447.bat
2010-04-15 02:19 . 2010-04-15 02:19 453 ----a-w- c:\program files\0414201021192699.bat
2010-04-03 20:36 . 2010-04-03 20:36 469 ----a-w- c:\program files\0403201015360422.bat
2010-03-18 12:42 . 2010-03-18 12:42 455 ----a-w- c:\program files\031820107425510.bat
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-23_01.53.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-23 14:21 . 2011-03-23 14:21 16384 c:\windows\Temp\Perflib_Perfdata_720.dat
- 2006-03-04 03:33 . 2010-11-06 00:26 66560 c:\windows\system32\mshtmled.dll
+ 2006-03-04 03:33 . 2010-12-20 23:59 66560 c:\windows\system32\mshtmled.dll
+ 2009-03-08 09:31 . 2010-12-20 23:59 55296 c:\windows\system32\msfeedsbs.dll
- 2009-03-08 09:31 . 2010-11-06 00:26 55296 c:\windows\system32\msfeedsbs.dll
- 2004-08-10 11:00 . 2010-11-06 00:26 43520 c:\windows\system32\licmgr10.dll
+ 2004-08-10 11:00 . 2010-12-20 23:59 43520 c:\windows\system32\licmgr10.dll
+ 2004-08-10 11:00 . 2010-12-20 23:59 25600 c:\windows\system32\jsproxy.dll
- 2004-08-10 11:00 . 2010-11-06 00:26 25600 c:\windows\system32\jsproxy.dll
- 2009-09-17 18:16 . 2010-11-06 00:26 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-09-17 18:16 . 2010-12-20 23:59 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-03-08 09:31 . 2010-11-06 00:26 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-03-08 09:31 . 2010-12-20 23:59 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-09-17 18:16 . 2010-12-20 23:59 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2009-09-17 18:16 . 2010-11-06 00:26 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-03-08 09:34 . 2010-12-20 23:59 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 09:34 . 2010-11-06 00:26 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 09:33 . 2010-11-06 00:26 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-03-08 09:33 . 2010-12-20 23:59 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2009-12-14 07:08 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2004-08-10 11:00 . 2010-12-09 14:30 33280 c:\windows\system32\csrsrv.dll
- 2004-08-10 11:00 . 2009-12-14 07:08 33280 c:\windows\system32\csrsrv.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 12800 c:\windows\ie8updates\KB2482017-IE8\xpshims.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 66560 c:\windows\ie8updates\KB2482017-IE8\mshtmled.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 55296 c:\windows\ie8updates\KB2482017-IE8\msfeedsbs.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 43520 c:\windows\ie8updates\KB2482017-IE8\licmgr10.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 25600 c:\windows\ie8updates\KB2482017-IE8\jsproxy.dll
- 2006-03-04 03:33 . 2010-11-06 00:26 916480 c:\windows\system32\wininet.dll
+ 2006-03-04 03:33 . 2010-12-20 23:59 916480 c:\windows\system32\wininet.dll
- 2004-08-10 11:00 . 2008-04-14 00:12 135168 c:\windows\system32\shsvcs.dll
+ 2004-08-10 11:00 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
- 2004-08-10 11:00 . 2010-11-06 00:26 206848 c:\windows\system32\occache.dll
+ 2004-08-10 11:00 . 2010-12-20 23:59 206848 c:\windows\system32\occache.dll
+ 2004-08-10 11:00 . 2010-12-09 15:15 718336 c:\windows\system32\ntdll.dll
+ 2006-03-04 03:33 . 2010-12-20 23:59 611840 c:\windows\system32\mstime.dll
- 2006-03-04 03:33 . 2010-11-06 00:26 611840 c:\windows\system32\mstime.dll
+ 2009-03-08 09:32 . 2010-12-20 23:59 602112 c:\windows\system32\msfeeds.dll
- 2009-03-08 09:32 . 2010-11-06 00:26 602112 c:\windows\system32\msfeeds.dll
- 2004-08-10 11:00 . 2009-06-25 08:25 730112 c:\windows\system32\lsasrv.dll
+ 2004-08-10 11:00 . 2010-12-20 17:26 730112 c:\windows\system32\lsasrv.dll
+ 2004-08-10 11:00 . 2010-12-22 12:34 301568 c:\windows\system32\kerberos.dll
- 2004-08-10 11:00 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos.dll
+ 2006-03-04 03:33 . 2010-12-20 23:59 184320 c:\windows\system32\iepeers.dll
- 2006-03-04 03:33 . 2010-11-06 00:26 184320 c:\windows\system32\iepeers.dll
- 2004-08-10 11:00 . 2010-11-06 00:26 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-10 11:00 . 2010-12-20 23:59 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-10 11:00 . 2010-11-03 12:26 173568 c:\windows\system32\ie4uinit.exe
+ 2004-08-10 11:00 . 2010-12-20 12:55 173568 c:\windows\system32\ie4uinit.exe
- 2008-10-15 21:43 . 2011-02-01 19:50 181832 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-15 21:43 . 2011-03-23 02:28 181832 c:\windows\system32\FNTCACHE.DAT
- 2008-08-20 05:30 . 2010-11-06 00:26 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-08-20 05:30 . 2010-12-20 23:59 916480 c:\windows\system32\dllcache\wininet.dll
+ 2009-07-27 23:17 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll
+ 2011-01-21 14:44 . 2011-01-21 14:44 439296 c:\windows\system32\dllcache\shimgvw.dll
+ 2004-08-10 11:00 . 2011-02-04 22:48 291840 c:\windows\system32\dllcache\sbe.dll
+ 2009-03-08 09:34 . 2010-12-20 23:59 206848 c:\windows\system32\dllcache\occache.dll
- 2009-03-08 09:34 . 2010-11-06 00:26 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-04-15 16:13 . 2010-12-09 15:15 718336 c:\windows\system32\dllcache\ntdll.dll
+ 2009-03-08 09:32 . 2010-12-20 23:59 611840 c:\windows\system32\dllcache\mstime.dll
- 2009-03-08 09:32 . 2010-11-06 00:26 611840 c:\windows\system32\dllcache\mstime.dll
- 2009-09-17 18:16 . 2010-11-06 00:26 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-09-17 18:16 . 2010-12-20 23:59 602112 c:\windows\system32\dllcache\msfeeds.dll
- 2009-04-15 16:13 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-04-15 16:13 . 2010-12-20 17:26 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2011-01-27 11:57 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe
+ 2009-06-25 08:25 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll
- 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
- 2009-09-17 18:16 . 2010-11-06 00:26 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-09-17 18:16 . 2010-12-20 23:59 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-03-08 09:31 . 2010-12-20 23:59 184320 c:\windows\system32\dllcache\iepeers.dll
- 2009-03-08 09:31 . 2010-11-06 00:26 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-07-10 02:56 . 2010-12-20 23:59 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-07-10 02:56 . 2010-11-06 00:26 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2009-03-08 19:09 . 2010-12-20 23:59 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-03-08 19:09 . 2010-11-06 00:26 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-03-08 09:32 . 2010-11-03 12:26 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-03-08 09:32 . 2010-12-20 12:55 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2004-08-10 11:00 . 2011-02-04 22:48 456192 c:\windows\system32\dllcache\encdec.dll
+ 2010-04-20 05:30 . 2011-01-07 14:09 290048 c:\windows\system32\dllcache\atmfd.dll
- 2010-04-20 05:30 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 916480 c:\windows\ie8updates\KB2482017-IE8\wininet.dll
+ 2011-03-23 02:18 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2482017-IE8\spuninst\updspapi.dll
+ 2011-03-23 02:18 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2482017-IE8\spuninst\spuninst.exe
+ 2011-03-23 02:18 . 2010-11-06 00:26 206848 c:\windows\ie8updates\KB2482017-IE8\occache.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 611840 c:\windows\ie8updates\KB2482017-IE8\mstime.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 602112 c:\windows\ie8updates\KB2482017-IE8\msfeeds.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 247808 c:\windows\ie8updates\KB2482017-IE8\ieproxy.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 184320 c:\windows\ie8updates\KB2482017-IE8\iepeers.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 743424 c:\windows\ie8updates\KB2482017-IE8\iedvtool.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 387584 c:\windows\ie8updates\KB2482017-IE8\iedkcs32.dll
+ 2011-03-23 02:18 . 2010-11-03 12:26 173568 c:\windows\ie8updates\KB2482017-IE8\ie4uinit.exe
+ 2006-03-18 11:09 . 2010-12-20 23:59 1210880 c:\windows\system32\urlmon.dll
- 2006-03-18 11:09 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon.dll
+ 2004-08-10 11:00 . 2011-01-21 14:44 8462336 c:\windows\system32\shell32.dll
- 2004-08-10 11:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2005-03-30 01:21 . 2010-12-09 13:42 2148864 c:\windows\system32\ntoskrnl.exe
+ 2005-03-30 01:01 . 2010-12-09 13:07 2027008 c:\windows\system32\ntkrnlpa.exe
+ 2006-03-23 17:32 . 2010-12-20 23:59 5961216 c:\windows\system32\mshtml.dll
- 2009-03-08 09:32 . 2010-11-06 00:26 1991680 c:\windows\system32\iertutil.dll
+ 2009-03-08 09:32 . 2010-12-20 23:59 1991680 c:\windows\system32\iertutil.dll
+ 2008-10-17 04:11 . 2010-12-31 13:10 1854976 c:\windows\system32\dllcache\win32k.sys
+ 2008-08-20 05:30 . 2010-12-20 23:59 1210880 c:\windows\system32\dllcache\urlmon.dll
- 2008-08-20 05:30 . 2010-11-06 00:26 1210880 c:\windows\system32\dllcache\urlmon.dll
- 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2008-06-17 19:02 . 2011-01-21 14:44 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2008-10-17 04:20 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-17 04:20 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-17 04:20 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-17 04:20 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-08-20 05:30 . 2010-12-20 23:59 5961216 c:\windows\system32\dllcache\mshtml.dll
+ 2011-02-02 07:58 . 2011-02-02 07:58 2067456 c:\windows\system32\dllcache\lhmstscx.dll
- 2009-09-17 18:16 . 2010-11-06 00:26 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2009-09-17 18:16 . 2010-12-20 23:59 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2011-03-23 02:05 . 2011-03-23 02:05 3277312 c:\windows\Installer\15fa20.msi
+ 2011-03-23 02:03 . 2011-03-23 02:03 1611776 c:\windows\Installer\15fa1c.msi
+ 2011-03-23 02:18 . 2010-11-06 00:26 1210880 c:\windows\ie8updates\KB2482017-IE8\urlmon.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 5959168 c:\windows\ie8updates\KB2482017-IE8\mshtml.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 1991680 c:\windows\ie8updates\KB2482017-IE8\iertutil.dll
+ 2008-10-17 04:20 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-17 04:20 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-17 04:20 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-17 04:20 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-17 13:22 . 2011-03-03 00:56 37943240 c:\windows\system32\MRT.exe
+ 2009-03-08 09:39 . 2010-12-21 10:29 11080704 c:\windows\system32\ieframe.dll
- 2009-03-08 09:39 . 2010-11-06 00:26 11080704 c:\windows\system32\ieframe.dll
- 2009-09-17 18:16 . 2010-11-06 00:26 11080704 c:\windows\system32\dllcache\ieframe.dll
+ 2009-09-17 18:16 . 2010-12-21 10:29 11080704 c:\windows\system32\dllcache\ieframe.dll
+ 2011-03-23 02:18 . 2010-11-06 00:26 11080704 c:\windows\ie8updates\KB2482017-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
.
c:\documents and settings\JoAnne\Start Menu\Programs\Startup\
iWin Desktop Alerts.lnk - c:\documents and settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [N/A]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2005-05-19 16:54 1345520 ----a-w- c:\windows\system32\CTMBHA.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-23 00:40 24576 ----a-w- c:\windows\MIDIDEF.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"gupdate1c9b6296af48476"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 X4HS32Ex;X4HS32Ex;c:\program files\Free Ride Games\X4HS32Ex.sys [3/15/2010 11:09 AM 53280]
R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [4/16/2010 6:53 PM 56352]
S2 gupdate1c9b6296af48476;Google Update Service (gupdate1c9b6296af48476);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 3:02 PM 133104]
S4 SeekeenSrch Service;SeekeenSrch Service;"c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" "c:\program files\SeekeenSrch\seekeen.dll" Service --> c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-03-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
.
2011-03-23 c:\windows\Tasks\User_Feed_Synchronization-{D019EACA-BB13-46C6-A08A-1B23C328FB16}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
TCP: {765C18A5-C191-4DBC-8A3D-878975069E64} = 192.168.1.254
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\645nbkj0.default\
FF - Ext: RealArcade V3.1 Plugin: npmozax31@real.com - c:\program files\Mozilla Firefox\extensions\npmozax31@real.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{399C60D2-38B1-4E25-B9E7-6498C1BC2DCD} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-23 09:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\l3codeca.acm
.
- - - - - - - > 'explorer.exe'(3272)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-03-23 09:37:52
ComboFix-quarantined-files.txt 2011-03-23 14:37
ComboFix2.txt 2011-03-23 01:55
.
Pre-Run: 73,506,562,048 bytes free
Post-Run: 73,492,258,816 bytes free
.
- - End Of File - - 72D84D105BE313EA25CC28B8CA708CBA
-
Hi sam, thanks for the logs.
Apparently the ComboFix script didn't work. Have you uninstalled AVG? Please download the attached CFscript.txt file at the bottom of my post and save it to your desktop.
- Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.
- This will start ComboFix again.Close all browser/windows first.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
http://img.photobucket.com/albums/v6...FScriptB-4.gif
**Note: When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
Please advise if the upload was successful and post back including the Combofix log.
-
Combofix
I think I did something wrong the first time through.
Log:
ComboFix 11-03-23.01 - J 03/23/2011 13:34:46.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.594 [GMT -5:00]
Running from: c:\documents and settings\J\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\J\My Documents\Downloads\CFscript.txt
.
FILE ::
"c:\program files\031820107425510.bat"
"c:\program files\0403201015360422.bat"
"c:\program files\0414201021192699.bat"
"c:\program files\0414201021202447.bat"
.
file zipped: c:\program files\0809201021175065.bat
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\031820107425510.bat
c:\program files\0403201015360422.bat
c:\program files\0414201021192699.bat
c:\program files\0414201021202447.bat
c:\program files\0809201021175065.bat
.
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-23 02:30 . 2011-03-23 02:30 -------- d-----w- c:\documents and settings\J\Local Settings\Application Data\AVG Security Toolbar
2011-03-22 13:40 . 2011-03-22 13:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 22:48 . 2004-08-10 11:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-10 11:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2008-10-16 04:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-10-16 04:48 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2011-03-23_14.36.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-23 18:27 . 2011-03-23 18:27 16384 c:\windows\Temp\Perflib_Perfdata_728.dat
+ 2011-03-23 14:48 . 2011-03-23 14:48 3277312 c:\windows\Installer\17a407.msi
+ 2011-03-23 14:47 . 2011-03-23 14:47 1611776 c:\windows\Installer\17a403.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
.
c:\documents and settings\JoAnne\Start Menu\Programs\Startup\
iWin Desktop Alerts.lnk - c:\documents and settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [N/A]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JoAnne^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\JoAnne\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2005-05-19 16:54 1345520 ----a-w- c:\windows\system32\CTMBHA.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-23 00:40 24576 ----a-w- c:\windows\MIDIDEF.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"gupdate1c9b6296af48476"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 X4HS32Ex;X4HS32Ex;c:\program files\Free Ride Games\X4HS32Ex.sys [3/15/2010 11:09 AM 53280]
R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [4/16/2010 6:53 PM 56352]
S2 gupdate1c9b6296af48476;Google Update Service (gupdate1c9b6296af48476);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 3:02 PM 133104]
S4 SeekeenSrch Service;SeekeenSrch Service;"c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" "c:\program files\SeekeenSrch\seekeen.dll" Service --> c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CFCATCHME
*Deregistered* - CFcatchme
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 20:02]
.
2011-03-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
.
2011-03-23 c:\windows\Tasks\User_Feed_Synchronization-{D019EACA-BB13-46C6-A08A-1B23C328FB16}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
TCP: {765C18A5-C191-4DBC-8A3D-878975069E64} = 192.168.1.254
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\645nbkj0.default\
FF - Ext: RealArcade V3.1 Plugin: npmozax31@real.com - c:\program files\Mozilla Firefox\extensions\npmozax31@real.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Seekeen: {DB390D2E-0FB4-413F-B039-AE342D1D40BA} - c:\program files\Mozilla Firefox\extensions\{DB390D2E-0FB4-413F-B039-AE342D1D40BA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{399C60D2-38B1-4E25-B9E7-6498C1BC2DCD} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-23 13:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\l3codeca.acm
.
Completion time: 2011-03-23 13:41:17
ComboFix-quarantined-files.txt 2011-03-23 18:41
ComboFix2.txt 2011-03-23 14:37
ComboFix3.txt 2011-03-23 01:55
.
Pre-Run: 73,157,271,552 bytes free
Post-Run: 73,138,380,800 bytes free
.
- - End Of File - - 1026AD96D9E2171A5F490801A1CB93EC
Upload was successful
-
Hi,
Please download The Avenger2 by Swandog46 to your Desktop.
- Right click on the Avenger.zip folder and select "Extract All..."
- Follow the prompts and extract the avenger folder to your desktop
1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Code:
Begin copying here:
Drivers to delete:
SeekeenSrch Service
Files to delete:
c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
c:\program files\SeekeenSrch\seekeen.dll
Folders to delete:
c:\program files\SeekeenSrc
c:\documents and settings\All Users\Application Data\SeekeenSrch
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, open the avenger folder and start The Avenger program by clicking on its icon.
- Right click on the window under Input script here:, and select Paste.
- You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
- Click on Execute
- Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
-
Avenger Log
The log is below:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "SeekeenSrch Service" deleted successfully.
Error: file "c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" not found!
Deletion of file "c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\program files\SeekeenSrch\seekeen.dll" not found!
Deletion of file "c:\program files\SeekeenSrch\seekeen.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: folder "c:\program files\SeekeenSrc" not found!
Deletion of folder "c:\program files\SeekeenSrc" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Folder "c:\documents and settings\All Users\Application Data\SeekeenSrch" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
-
Hi,
We are almost done. Please follow these steps:
Step 1 | Please download CCleaner (freeware)
- Run the installer.
- Once installed, run CCleaner click the Windows [tab]
- The following should be selected by default, if not, please select:
- Next: click Options (in the left panel) and click the Advanced button.
- Uncheck: "Only delete files in Windows Temp folders older than 24 hours."
- Go back to Cleaner (in the left panel) and click the Run Cleaner button (bottom right). Then exit CCleaner.
Step 2 | Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Step 2 | Let's perform an ESET Online Scan
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
- Please go here then click on: http://i280.photobucket.com/albums/k...bum2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. - Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/k...bum2/EOLS2.gif
- When prompted allow the Add-On/Active X to install.
- Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
- Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Now click on: http://i280.photobucket.com/albums/k...bum2/EOLS3.gif
- The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically.
- Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
- When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic.
- Now click on: http://i280.photobucket.com/albums/k...bum2/EOLS4.gif (Selecting Uninstall application on close if you so wish)