Jump to content

Is my system clean? And some questions.

Recommended Posts

Hi -- I am running XP Pro, SP2. I am trying to make sure my system is clear of malware before installing SP3. If someone could look at my anti-spyware logs and advise me, I would really appreciate it.

I ran Spybot on 1-18-09 (which reported a problem with some of my Mozilla bookmarks, and I let it delete them).

I ran the MalwareBytes quick scan (currently, no problems reported, altho an earlier scan found and removed Trojan.DNSChanger).

I ran the Panda Active online scan on 1-19-09, which found 2 related "infections": C:\Documents and Settings\(user)\My Files\Zotero manual backups\zotero\storage\7074\mm.js, and

C:\Documents and Settings\(user)\Application Data\Mozilla\Firefox\Profiles\le4fn0bz.default\zotero\storage\7074\mm.js . I use the Zotero Firefox add-on which takes "snapshots" websites. So I deleted the 2 .js files it said were infected (the second was a manual backup I had made of the first.) When I re-ran the Panda Active scan, scanning just the folders where the "infections" were found, nothing was found.

(Also, the Panda scan reported that Windows Defender was not running and was not up-to-date, but that wasn't really the case -- I always turn off resident anti-malware and antivirus when running scans. Usually Windows Defender autostarts on boot up, and it is usually pretty up-to-date (there's a lag because it seems I have to be logged into an admin acct to update it, and I usually log in as a limited user.))

Then, today, on 1-27-09, I re-ran the Panda Active scan, scanning the whole computer. This time it found a tracking cookie in the (hidden) Recycler folder. I have set my computer to see hidden files and folders, so I can see the Recycler folder, and within that, I can see the folder that supposedly has the tracking cookie, but I can't see within the contents of that folder. I wasn't sure if it was safe to delete the whole folder. Can I do that?

I re-ran the MalwareBytes quick scan -- no problems detected. Lastly, I ran HJT. The logs of the Panda, MalwareBytes, and HJT scans are pasted below. I am also pasting the earlier MalwareByte scan that found and removed Trojan.DNSCHanger.

Regarding router settings, about a month back, when I ran a Malware Bytes quick scan, it found and removed Trojan.DNSChanger. I have a wired router (Linksys BEFSR41), which I rebooted, probably unnecesarily, accidentally losing all my settings in the process. Other than re-setting the default password, I am running with the factory defaults -- are there other changes I should make?

Also, about 3 weeks ago, when I ran an a-squared free quick scan, it found a toolbar: Trace.Director.Berm.Amazon.Toolbar!A2, which I believe was associated with the Amazon MP3 downloader I had recently installed. I removed the toolbar (with some difficulty), and this item no longer shows up on the scan. But I would like to use the Amazon MP3 Downloader -- does anyone know if it really is a security/privacy problem?

Lastly, I have been running Avast free, a-2 anti-dialer free, WinPatrol free, Teatimer (from SpyBot), and Windows Defender as resident malware programs, along with Sygate Personal Firewall (which I am planning on replacing with Comodo free, once I have successfully installed SP3). Someone recently advised me not to use Teatimer and WinPatrol together. If that is true, which one is better to use? And I recently learned of Threatfire and Spyware Terminator - can I add those as resident programs, or will they conflict with the ones I already have?

Sorry for having so many questions! Thank you very much in advance.



************************************* Earlier MBAM scan from 12-25-08 ******************************



Malwarebytes' Anti-Malware 1.31

Database version: 1542

Windows 5.1.2600 Service Pack 2

12/25/2008 1:18:24 PM

mbam-log-2008-12-25 (13-18-24).txt

Scan type: Quick Scan

Objects scanned: 65922

Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 18

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\TypeLib\{8baf1854-f49f-487f-b4cc-2bd30ea16ad6} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{6640d4aa-bc85-465d-a5fc-b45fa49183df} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{80d8f922-cebb-4476-b2a6-0264a711e523} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{d76d7128-4a96-11d3-bd95-d296dc2dd072} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{82f2e220-92e8-11d3-9a1d-f2a67fd05a28} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{8e203240-537d-11d3-bd8c-000000000000} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{d76d7129-4a96-11d3-bd95-d296dc2dd072} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{d76d712b-4a96-11d3-bd95-d296dc2dd072} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{d76d712c-4a96-11d3-bd95-d296dc2dd072} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{d76d712e-4a96-11d3-bd95-d296dc2dd072} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{a8561640-e93c-11d3-ac3b-ce6078f7b616} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{65418922-15d8-11d4-9a1f-928ff56cbe2b} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{a8561641-e93c-11d3-ac3b-ce6078f7b616} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{a8561642-e93c-11d3-ac3b-ce6078f7b616} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a8561647-e93c-11d3-ac3b-ce6078f7b616} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{dcc46394-4b19-11d3-bd95-d426ef2c7949} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{dcc463a0-4b19-11d3-bd95-d426ef2c7949} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{dcc463a1-4b19-11d3-bd95-d426ef2c7949} (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Program Files\videosoft\Shared Files (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\videosoft\Shared Files\ViewRep7.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Program Files\videosoft\Shared Files\Vsflex7.ocx (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Program Files\videosoft\Shared Files\VSPRINT7.ocx (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Program Files\videosoft\Shared Files\VSStr7.ocx (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\smss.TMP (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



************************************* Current MBAM scan on 1-27-09 *********************************



Malwarebytes' Anti-Malware 1.33

Database version: 1699

Windows 5.1.2600 Service Pack 2

1/27/2009 2:52:29 PM

mbam-log-2009-01-27 (14-52-29).txt

Scan type: Quick Scan

Objects scanned: 67412

Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)



************************************* Panda ActiveScan on 1-27-09 **********************************







ANALYSIS: 2009-01-27 12:43:06









Description Version Active Updated





avast! antivirus 4.8.1296 [VPS 090127-0] 4.8.1296 No Yes






Id Description Type Active Severity Disinfectable Disinfected Location





00194327 Cookie/Go TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-3908239666-3443521031-15504225-500\Dc7\(user_name)@go[1].txt






Sent Location

Link to post
Share on other sites

  • Replies 75
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

You have Spybot TEA TIMER running and it needs to be disabled to do these updates.

Disable Teatimer

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

Then look for the following Java folders and if found delete them.

C:\Program Files\Java

C:\Program Files\Common Files\Java

C:\Documents and Settings\All Users\Application Data\Java

C:\Documents and Settings\All Users\Application Data\Sun\Java

C:\Documents and Settings\username\Application Data\Java

C:\Documents and Settings\username\Application Data\Sun\Java

Then run the following.

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
  • O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
  • O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  • O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  • O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} (Java Plug-in 1.4.2_04) -
  • O16 - DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} (Java Plug-in 1.4.2_10) -
  • O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
  • O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
  • O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.6.0_06) -
  • O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

This is not Malware but you may want to confirm it's up to date for use with XP and SP3

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

Please RESTART the computer and then run this tool

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    to your Desktop.
  • Double click on
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. As soon as it's done and the
    button is available click on the

  • DO NOT
    Click on the

  • This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.

  • Click OK and quit the GMER program.

Link to post
Share on other sites

Hi -- thank you very much for the instructions, and sorry for the delay in carrying them out -- I've been a little tight for time. I hope to work on this later tonight, or else certainly this wkend. Also, I think I should run a quick incremental backup before I start making changes, wouldn't that be advisable?

Again, thanks so much, and I will be back on soon.

Link to post
Share on other sites

Ok, here's what I've done so far:

1) Ran incremental backup. (Would have been nice to do full backup, but tight for time.)

2) Backed up registry.

3) Set System Restore Pt (which I guess may need to be purged later).

4) Uninstalled Easy CD Creator. (And ran CCleaner on admin acct to clean up the aftermath.)

5) Disabled TeaTimer as per your instructions.

I looked for Java entries in Add/Remove programs. Only Java 6, Update 11 shows. I had previously removed older versions using Add/Remove Programs, but obviously some of the uninstalls must have been incomplete. So tomorrow, I will go ahead and follow all your instructions about removing Java.

And then I will make the fixes you specified with HJT, and run GMER. Then I'll be back! Hope everything I've done so far was right. Thanks so much again.

Oh -- one question -- to do the HJT fixes, I am supposed to close all other app's (Taskbar empty) -- but I am not sure I can empty the taskbar completely, because:

1) I have this program Strokeit, which I don't know how to remove from the taskbar. If you right-click its icon, the icon goes from white to red, which I've been assuming disables it. (Haven't actually used this program yet, but it looked interesting, and I was planning to try it -- it's some sort of mouse-gesture program, if I remember correctly.) Is disabling it sufficient?

2)Likewise, the Avast icon is always there -- I can stop all on-access protection, but the icon stays, with a red mark through it. Do I have to do something more to close it?

3) I usually leave my Firewall on (Sygate Personal) - is that ok, or should I shut that down, too? I have a NAT router, so it should be ok to close it.

4) Also, the volume icon and the Windows security center icon always remain, and I don't think I can get rid of them. I assume that's okay...

Sorry, but I'm just not all that clear on some of this stuff. Thanks a lot.

Link to post
Share on other sites

Ok -- As of last post, I had already disabled TeaTimer and uninstalled Easy CD Creator. Here's what I have done now:

1) Using Add/Remove programs, I removed the only listed Java program (Java 6, update 11).

2) I used JavaRa (log posted below).

3) I deleted the Java folders you listed. One question on this -- for C:\Documents and Settings\username\Application Data\Sun\Java -- did you mean for me to delete the Sun folder, as well as the Java folder contained within it? I deleted only the Java folder (for each user), but not the Sun folder. Should I go back and delete all the Sun folders?

4) I ran HJT. I tried to locate and tried to fix all the items you noted. However, the first five of the 016 items were no longer listed (I believe JavaRa removed them). I fixed the two 02 items, the two 06 items, and the last 016 item, the one related to Java Plug-in 1.6.0_07. (By the way, it was no longer labelled "Java Plug-in 1.6.0_07, but the earlier portion was identical, so I went ahead and had it fixed -- hope that's okay.)

Just curious -- can you please tell me what it is that I fixed -- eg, what were the BHO's? Was one related to a Google toolbar, or was I infected with something worse?

Also, why do I have Symantec stuff showing up? I no longer use any on-board Symantec programs, but perhaps I have sometimes used their online scanner -- would that account for it?

5) I ran the GMER program and the log is pasted below.

Thanks so much! I await further instructions.



**************** START JavaRa Log *******************************************************************************

JavaRa 1.13 Removal Log.

Report follows after line.


The JavaRa removal process was started on Fri Jan 30 23:05:26 2009

Found and removed: C:\Program Files\Java\jre1.5.0_06

Found and removed: C:\Program Files\Java\jre1.6.0_01

Found and removed: C:\Program Files\Java\jre1.6.0_03

Found and removed: C:\Program Files\Java\jre1.6.0_05

Found and removed: C:\Program Files\Java\jre1.6.0_06

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\JavaPlugin.140

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.4.0

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4.0

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: Software\JavaSoft\Java2D\1.5.0_09

Found and removed: Software\JavaSoft\Java2D\1.5.0_11

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_01\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_06\


Finished reporting.

************************ END JavaRa log ****************************************************************************



************************************** START GMER LOG **************************************************************



GMER - http://www.gmer.net

Rootkit scan 2009-01-31 00:03:03

Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites

  • Root Admin

There are some fake Google toolbars and one was listed, it does not delete the object it just stops it from running so scanners can clean it if found to be invalid.

The Java removal is due to their code being exploited and allowing Malware to get on your box just by having an old version running.

No you don't have to remove the Sun folders.

Please run a new MBAM update and scan.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Hi -- I ran the Malwarebytes quick scan (no problems reported) and the HJT scan. The logs are below.

Thank you - I will wait for your instructions.

*************** MALWAREBYTES QUICK SCAN LOG *****************

Malwarebytes' Anti-Malware 1.33

Database version: 1712

Windows 5.1.2600 Service Pack 2

1/31/2009 12:45:50 PM

mbam-log-2009-01-31 (12-45-50).txt

Scan type: Quick Scan

Objects scanned: 67309

Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

******** END MALWAREBYTES QUICK SCAN LOG **************

************ HJT LOG ***********************************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:51:36 PM, on 1/31/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:









C:\Program Files\Windows Defender\MsMpEng.exe



C:\Program Files\Sygate\SPF\smc.exe



C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe


C:\Program Files\a-squared Anti-Dialer\a2service.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe



C:\Program Files\Macrium\Reflect\ReflectService.exe


C:\Program Files\UPHClean\uphclean.exe








C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe


C:\Program Files\Strokeit\strokeit.exe

C:\Documents and Settings\TheBoss\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe


C:\Program Files\iPod\bin\iPodService.exe



C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.bitdefender.com

O15 - Trusted Zone: http://*.lavasoft.com

O15 - Trusted Zone: http://*.windowsupdate.com

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185414703250

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37540.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


End of file - 11059 bytes

Link to post
Share on other sites

It seems to be running fine. But there never were any signs of infection -- I only found the infections by running scans.

I have a couple of funny little things that happen, but I am sure they aren't related to malware. For instance:

1. Since about a month ago, everytime I open a Word doc, a EULA agreement opens, and I have to accept it before going on to use Word. I am guessing that some MS update had a glitch.

2. Twice in the past week, my mouse suddenly stopped working, and I had to reboot to get it to work again. I have now switched it to a different USB port to see if that makes a difference. I don't know if it is a computer problem or a mouse problem.

3. Firefox is a little slow to open, but I am pretty darn sure that's because I usually have a saved session with several windows and a buzillion tabs. And I have a ton of things in my bookmark toolbar -- need to do some pruning! I also have recently added the Taboo and Read It Later add-ons, and those may also be slowing it down, I'm not sure.

4. In "My Computer" on an admin acct, there is a shortcut to one of the user's documents that is missing, which can be annoying. I haven't figured out how to put it back.

5. There is a online pdf file that I can open in some users, but in one user I get a msg that the file is damaged and cannot be repaired. Don't know why that is....

But I think these are all just little random glitches, and not signs of an infection. And as I said, even problems were detected on scans (eg, a-squared free found Trace.Directory.Berm.Amazon Toollbar!A2, and Malwarebytes found Trojan.DNSChanger), I did not have any symptoms of infection.

(Regarding the Amazon Toolbar -- I think that might have been installed as part of the Amazon MP3 Downloader. I googled it and checked the a-squared free forum, but didn't find much, which seemed odd, since you'd think a lot of people would have encountered the same detection if it was from the Amazon MP3 Downloader. Then I uninstalled the Amazon MP3 Downloader, and a-squared free no longer reported it. But I am thinking of reinstalling it, because I would like to use it -- do you know if it poses any risks?)

If you think I am ready, should I now re-install Java?

Turn TeaTimer on?

Toggle System Restore off and on?

At http://support.microsoft.com/kb/950717/, they list steps to take before loading SP3, and for Windows XP Pro, they recommend doing an ASR backup before the install. I can set up the ASR backup, but I can't actually create the boot disk, because I don't have a floppy drive, and the backup won't let you specify a CD drive! My plan was to go ahead and run the ASR backup -- it will create a backup, but not the boot disk. I have an older boot disk that was created when I had to swap the HD a few years back. Someone who was helping me then lent me a USB floppy drive, and I used that to create the ASR backup. Would the old boot disk work if needed? Or maybe I can try to borrow a USB floppy drive again.

I will run CCleaner on each user before running the backup. And I will also backup the registry.

It seems Microsoft is offering free support on SP3 installation (http://support.microsoft.com/oas/default.aspx?acty=ProductList&ctl=productlist&wf=PID&trl=PID~ProductList&x=16&y=11&ln=en-us&prid=11273&gprid=522131). The fact that they felt it necessary to do that -- and all the red ink they used! -- makes me think that this is a complex install, and that maybe I should have them walk me through it. I'm worried that something will come up that I won't know how to answer or handle. Do you think that sounds wise?

I also want to uninstall Sygate Personal Firewall and install Comodo free firewall, but I was advised to wait awhile after adding SP3 before doing that, so that if there are problems, I will know which is the cause.

And maybe I should add Spyware Terminator 2.5.1? And/or Threatfire? (After the SP3 install.)

Sorry for having so many questions...... Thanks so much for your time.

I am getting to the point where I am considering buying a MAC for my next computer. I spend so much time trying to prevent infections, updating antispyware programs, running scans, getting false positive results that take time to research, as well as the occasional true detection.... (Regarding scans -- would it make sense to have the scans ignore the My Pictures folder, where I have about 20+ GB of photos, mostly from my own camera, in order to speed things up?)

Link to post
Share on other sites

Hi, again -- My mouse problem just happened again -- suddenly stopped working. I unplugged it and plugged it back in (I think to a different USB port), and the system recognized it as new hardware, and now it works again, without rebooting.

I started Googling the mouse problem. I found this on http://forums.cnet.com/5208-6121_102-0.htm...ssageID=1028128 : "... I recently repaired a computer which used a USB optical mouse which also had problems... After running ALL of the spyware removal tools from the links below, it cleared up the problem. No guarantees, but if nothing else, you've cleaned out the machine a little. Download them all, install them, update them, then run them: Ad-Aware

Link to post
Share on other sites

  • Root Admin

We're just about done I think.

Please run the following and see if it corrects a few items or not.

Let's go ahead and clear and reset the System Restore area now.

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup216.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

Then download and run the following tool Dial-a-fix

When that is all done please download this tool but restart the computer before running it.

RootRepeal - Rootkit Detector

  • Please download the following tool:
    RootRepeal - Rootkit Detector
  • Direct download link is here:

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:

  • Extract the program file to a new folder such as

  • Run the program
    and go to the
    tab and click on the

  • Select
    of the checkboxes and then click
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as

  • Save it as
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

Link to post
Share on other sites

Hi -- I will work through the remaining steps tomorrow eve. Just one question -- CCleaner only cleans the current user, according to their FAQ, so in XP Pro, don't I have to run CCleaner on each user (ie, temporarily give each user admin privileges, install CCleaner and run it?) I've done this in the past, but CCleaner has been updated since I last downloaded it, so I will have to do it again.


Link to post
Share on other sites

Not yet finished working through all the steps. Have toggled System Restore off and on. Have used CCleaner. Have downloaded Dial-a-fix (the newer, beta version, which is recommended), but have not run it yet. I hope I will understand how to run it... Will it reset services that I have turned disabled or set to manual? (Eg, I disabled the Windows messenger service which is associated with IM, since I never IM -- I can't remember the exact name right now.)

Some questions on CCleaner -- should I always run it with the settings you suggested? In the past, I had run it with the check mark in the "Only delete Windows temp folders more than 48 hrs old". And I used to have check marks for the Memory dumps and Windows Log files. Also, I usually leave the Cookies unchecked. (I have Firefox set to delete cookies on exit, except for a few chosen sites, and I didn't want to have those cookies removed.) I have also been leaving Desktop shortcuts unchecked -- does it only remove outdated ones?

Most significantly, in the past, I have been using the registry cleaner, with all items checked. I always back up the registry changes (there is a check box for a prompt to back up the changes under Advanced Options). Is it bad to clean the registry? I have never had a problem. A lot of what it removes are uninstaller left-overs.

I will post tomorrow after I use Dial-a-fix and RootRepeal. Thanks!

Link to post
Share on other sites

Whoa! I just started reading http://wiki.lunarsoft.net/wiki/Dial-a-fix#WARNINGS !!! It is making me quite nervous!

Quote: "Here is a list of the things (in order) that you should do and be aware of before using Dial-a-fix. " Do you recommend that I run through the steps that they recommend???

Also, I forgot to mention this earlier, but when I click on Device Manager, there is a section that says "Other devices", and it has a yellow question mark next to it. Under that there are 6 lines that say "Unknown device", and each has a yellow question mark with a red slash through it. Other than that, the only hardware program I am aware of is that my mouse is intermittently not working. I will buy another soon.

Oh, and sometimes, in my taskbar, there will be an icon with a tooltip that says "a network cable is unplugged". When I put my mouse over it, it disappears. My internet connection seems fine (I have a Linksys wired router). When I first got this computer, it was set up as a network with my old computer (Win 98! - I can't remember which edition). The old computer is no longer plugged in, but I never tried to undo the network. This peculiar thing with the network icon has been going on forever, and no harm seems to come of it, so I haven't pursued it.

I was able to borrow a USB floppy drive. So when we've completed all the steps, I can run an ASR backup before installing SP3. I think I'd better get the new mouse before the install, too. I'd hate to get hung up in the middle (assuming it requires any input from me).

Thanks - pls advise as to whether to follow the steps suggested by Dial-a-fix.

Link to post
Share on other sites

  • Root Admin

Well basically those are there because users will try to point the finger at their program.

The issue is that at any given time anything both hardware or software can go wrong with a computer.

The main thing to do is BACKUP YOUR DATA which is always the case and if you haven't been doing it you should.

Data that is not backed up must be data you don't really care about because sooner or later something will happen to threaten it.

I can not guarantee that nothing will happen but I've run it on systems myself and have never had an issue with it.

It may not fix your problems either, but it one of the better tools out there to at least attempt to fix it.

We can have you run this tool which will also help us find underlying Malware that could be hiding.

Please visit this webpage for instructions for downloading ComboFix to your

Please ensure you read this guide carefully and install the Recovery Console first.


You must save and run
on your DESKTOP and not from any other folder.

click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:


Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

I would like to make a new backup of my data before proceeding. I have backups, but they are a series of incremental backups, which makes me feel a bit insecure. I borrowed a USB floppy drive, so I can go ahead an make an ASR backup. (It will take a few hours because I have about 70GB total on the C: drive, and since I need to delete files from my external HD and defrag it. Or I may just back up the 50GB of user data.)

(By the way, the Windows XP Pro backup system drives me a little crazy. I have installed Macrium Reflect free and SyncBack, but haven't tried to use them yet. I am also planning to sign up for online backup.

After making the backup, should l run the Dial-a-fix and RootRepeal first, and then run ComboFix?

Before running Dial-a-fix, I was going to try to go through the steps suggested at http://wiki.lunarsoft.net/wiki/Dial-a-fix#WARNINGS . The first step is "verify the integrity of your memory modules -- Download Memtest86+." I was not sure which version to download from http://www.memtest.org/#downiso -- is it the "pre-compiled package for floppy for (Dos-Win)"?

And then the next steps prior to running Dial-a-fix are running HD Tune (to see the current S.M.A.R.T. status of my drive) and then verifying the integrity of the filesystem.

Well, at least I am learning about some interesting tools -- though I don't that I could run any of them without supervision.

Link to post
Share on other sites

  • Root Admin

I really think those tools are overkill myself. Unless you've been having some sort of hardware issue they shouldn't show any issue either.

If you're having a hardware issue then it really should probably show up in the Event Logs

Click on START - RUN and type in EVENTVWR and look at all the logs (mainly RED and YELLOW ones) and look for hardware related errors.

If you're paranoid then by all means go ahead and run the tools. But basically all the Dial-A-Fix is doing is checking, resetting some registry keys, and unregistering and then re registering some DLL files of the Operating System, and moving some folders and files around. If you've not been losing data or getting error messages about your hardware then I wouldn't expect any issues by running the program.

Link to post
Share on other sites

I have looked at the Event Viewer logs.

Several errors/warnings occur repeatedly, but I think most are related to services and not hardware. I will try to copy some of them below.

The only hardware errors I noticed were a consecutive series of disk errors (about 100 or so entries) on Jan 29th between about 10:49 pm to 10:58 pm, on Jan 26. I looked back at my notebook, and I see that I was trying to run Panda Active Scan online that day (I don't know what time, but late evening is quite likely). When I tried to run it in Firefox, it would get part way thru the scan and then Firefox (but not my system) would crash. I subsequently ran the scan successfully in Internet Explorer. It detected "infections" in a Zotero storage folder and in a manual backup I had made of that folder. I deleted these. It also found a tracking cookie in the Recycler folder. I could see the Recycler folder, and a folder within it, not the folder within that one which was supposed to contain the cookie, so I just deleted the folder I could see (not Recycler, but the folder within that), since nothing else was in there. I don't know if the Panda Active Scan/Firefox problem is related to this disk error.

(There are no errors pertaining to the mouse, which has been giving a little trouble intermittently this past week. I have ordered a new mouse.)

Here are the errors/warnings:

Error DCOM The server {.......} did not register with DCOM within the required timeout.

Error Service Control Manager The Windows Image Acquisition (WIA) service hung on starting.

(Occasionally I get some kind of video error msg on my monitor when I boot up, but it always resolves itself. I don't know if that is related to the above error msg.)

Error dhcp The IP address lease for the Network Card with network address ..... has been denied by the DHCP server (The DHCP Server sent a DHCPNACK message).

Warning dhcp Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address ...... The following error occurred:

The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Error disk The driver detected a controller error on \Device\Harddisk1\D.

(This is the error that re-occurred about 100 times, consecutively, between 10:49pm and 10:58pm on Jan 26.)

I am going to download and run HD Tune (there's a link from the Dial-a-fix page), to make sure the HD seems okay. Then I will run Dial-a-fix (probably tomorrow, it's getting late).

Thanks for sticking through this with me.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.