anonymouss Posted August 11, 2013 ID:713669 Share Posted August 11, 2013 recently i installed malwarebytes and scaned and it shows PUM.Hijack.StartMenu is infected,when trying to remove it done,but after it again same infected file is found ,what kind of infected file and how to remove it ?here showing log filesMalwarebytes Anti-Malware (PRO) 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.08.11.03Windows XP Service Pack 3 x86 NTFSInternet Explorer 8.0.6001.18702Honey :: SSRK [administrator]Protection: Disabled8/11/2013 7:04:28 PMmbam-log-2013-08-11 (19-04-28).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 279024Time elapsed: 7 minute(s), 24 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 1HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)how to edit the above post,how to remove the pum.hijack? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 14, 2013 Root Admin ID:714880 Share Posted August 14, 2013 Hello and Sorry for the delay. Do you still need assistance with this? Link to post Share on other sites More sharing options...
anonymouss Posted August 15, 2013 Author ID:715254 Share Posted August 15, 2013 Hello and Sorry for the delay. Do you still need assistance with this?yes waiting for last 3 days Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 15, 2013 Root Admin ID:715304 Share Posted August 15, 2013 Okay well we should scan your system for an infection however a PUM mean (Possible Unwanted Modification) - in this case the setting is not the default setting and sometimes can be a sign of an infection, but other times it's because maybe an admin set it that way or another valid program set it. No way to know for sure so we flag it. Let me have you run the following please. Please visit this webpage and read the ComboFix User's Guide:Once you've read the article and are ready to use the program you can download it directly from the link below.Important! - Please make sure you save combofix to your desktop and do not run it from your browserDirect download link for: ComboFix.exePlease make sure you disable your security applications before running ComboFix.Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.Please attach that log file to your next reply.If needed the file can be located here: C:\combofix.txtNOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer. Link to post Share on other sites More sharing options...
anonymouss Posted August 15, 2013 Author ID:715485 Share Posted August 15, 2013 i had some doubts related to combofix,when running comboxfix i want to close opened program,can i connect the internet manually or it will connect automatically when iam trying to run combofix,i studied some other threads in this site i downloaded dds.com can i post that logs or can i run combofix.exe and post this logs,dont mistake me just clarifying my doubts Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 16, 2013 Root Admin ID:715806 Share Posted August 16, 2013 Combofix will make some backups to help restore it back if something does go wrong unlike most other programs that simply make changes with no backups. Please just go ahead and run it as shown and it should be okay. Link to post Share on other sites More sharing options...
anonymouss Posted August 16, 2013 Author ID:715859 Share Posted August 16, 2013 Combofix will make some backups to help restore it back if something does go wrong unlike most other programs that simply make changes with no backups. Please just go ahead and run it as shown and it should be okay.ok i just download and run combofix and i click i agree then it backup registry files, after that it displays click ok to quit eset (note:i disabled already security protection) then i click ok the tray icon of eset is gone,after that again it displays popup window iecombofix has detected the following real time scanners to be active:antivirus: Antivir Desktopantivirus: avast! antivirus 4.8.1335[vps 090510-0]antivirus and intrusion prevention programs are known to interfere with combofixs running.this may lead to unpredictable results or possible machine damagebut in my system i had installed only eset smart security 6,but i didnt installed avast or antivir desktop,how to fix this Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 16, 2013 Root Admin ID:715873 Share Posted August 16, 2013 We'll fix it later on. It's just a WMI entry in the system that was not removed when you uninstalled it.Make sure that ESET Smart Security is fully disabled and then continue to run Combofix and post back the log please. Link to post Share on other sites More sharing options...
anonymouss Posted August 16, 2013 Author ID:715897 Share Posted August 16, 2013 here posting logs,is it deleted some files which i noted in logs ie c:\documents and settings\Home\WINDOWSc:\program files\DFX\DFX.exe?why it was deleted?what it contains? Link to post Share on other sites More sharing options...
anonymouss Posted August 16, 2013 Author ID:715898 Share Posted August 16, 2013 here posting logs,is it deleted some files which i noted in logs ie c:\documents and settings\Home\WINDOWSc:\program files\DFX\DFX.exe?why it was deleted?what it contains? Link to post Share on other sites More sharing options...
anonymouss Posted August 16, 2013 Author ID:715899 Share Posted August 16, 2013 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 16, 2013 Root Admin ID:715902 Share Posted August 16, 2013 The file c:\program files\DFX\DFX.exe may be a false positive detection.It should be there in the C:\QOOBOX\Quarantine folder with another extension.Please upload the file to www.virustotal.com and have them scan it. If clean I'll report it to the author of combofixThe computer has what appears to be some bad settings and junk that need cleaning but probably nothing hard core infection wise.Please click on START - RUN and type in MSCONFIG and set it to NORMAL and restart the computer.Then run the following toolsHello and If you've not already done so please start here and post back the 2 log files DDS.txt and Attach.txtP2P/Piracy Warning: If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy. Before we proceed further, please read all of the following instructions carefully.If there is anything that you do not understand kindly ask before proceeding.If needed please print out these instructions.Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.If the log is too large then you can use attachments by clicking on the More Reply Options button.Please enable your system to show hidden files: How to see hidden files in WindowsMake sure you're subscribed to this topic:Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to InstantlyRemoving malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drivePlease don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.You can check here if you're not sure if your computer is 32-bit or 64-bitPlease disable your antivirus while running any requested scanners so that they do not interfere with the scanners.When we are done, I'll give you instructions on how to cleanup all the tools and logsPlease stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.Your topic will be closed if you haven't replied within 3 days(If I have not responded within 24 hours, please send me a Private Message as a reminder)STEP 0RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processesso that your normal security software can then run and clean your computer of infections.When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policiesthat stop us from using certain tools. When finished it will display a log file that shows the processes that wereterminated while the program was running.As RKill only terminates a program's running process, and does not delete any files, after running it you should not rebootyour computer as any malware processes that are configured to start automatically will just be started again.Instead, after running RKill you should immediately scan your computer using the requested scans I've included.Please download Rkill by Grinler from one of the links below and save it to your desktop.Link 1Link 2On Windows XP double-click on the Rkill desktop icon to run the tool.On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As AdministratorA black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.If not, delete the file, then download and use the one provided in Link 2.If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.If the tool does not run from any of the links provided, please let me know.Do not reboot the computer, you will need to run the application again.STEP 01Backup the Registry:Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.Please download ERUNT from one of the following links: Link1 | Link2 | Link3ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.Double click on erunt-setup.exe to Install ERUNT by following the prompts.NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.Choose a location for the backup.Note: the default location is C:\Windows\ERDNT which is acceptable.Make sure that at least the first two check boxes are selected.Click on OKThen click on YES to create the folder.Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exeSTEP 02Please download RogueKiller and save it to your desktop.You can check here if you're not sure if your computer is 32-bit or 64-bitRogueKiller 32-bit | RogueKiller 64-bitQuit all running programs.For Windows XP, double-click to start.For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.Read and accept the EULA (End User Licene Agreement)Click Scan to scan the system.When the scan completes Close the program > Don't Fix anything!Don't run any other options, they're not all bad!!Post back the report which should be located on your desktop.STEP 3Please download AdwCleaner by Xplode to your desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.If prompted by the User Account Control click Yes to allow it to run.Under Actions click on the Delete button.Click OK on all prompts.You will be prompted to restart your computer. A text file will open after the restart.Please post the entire contents of that logfile to your next reply.You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.STEP 4Please download Junkware Removal Tool to your desktop.Shutdown your antivirus to avoid any conflicts.Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.The tool will open and start scanning your system.Please be patient as this can take a while to complete.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next reply messageWhen completed make sure to re-enable your antivirus Link to post Share on other sites More sharing options...
anonymouss Posted August 16, 2013 Author ID:715967 Share Posted August 16, 2013 here i followed steps 1) i uploaded dfx to virus total,so here result analysis https://www.virustotal.com/en/file/b7b8bd97a326bb4881424d2bd1d503c54d17a6bb098010962f014f2fb13e1eb7/analysis/1376656421/2)START - RUN and type in MSCONFIG and set it to NORMAL and restart the computer. i have done it ,after restart lot of programs were running in tray icon3)dds.com -scaned and posting 2 logs now (doubts:is it necessary to maintain normal selection (msconfig->select normal)throughout the enitre steps upto step4 i have to finish or when will i change the setting to previous one)remaining steps will be continued with normal setting or previous setting,further ur response i will continue........... Dds.txt(disabled eset smart protection) DDS (Ver_2012-11-20.01) - NTFS_x86Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22Run by home at 18:40:30 on 2013-08-16Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.217 [GMT 5.5:30].AV: AntiVir Desktop *Enabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}AV: avast! antivirus 4.8.1335 [VPS 090510-0] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}AV: ESET Smart Security 6.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}FW: ESET Personal firewall *Enabled*.============== Running Processes ================.C:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Sandboxie\SbieSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\WINDOWS\system32\fsproflt.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exeC:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exeC:\Program Files\PANDORA.TV\PanService\PandoraService.exeC:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeC:\Documents and Settings\home\Local Settings\Application Data\Torch\Update\TorchCrashHandler.exeC:\Program Files\Reliance Netconnect\bin\MonServiceUDisk.exeC:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Unlocker\UnlockerAssistant.exeC:\Program Files\ESET\ESET Smart Security\egui.exeC:\Program Files\Hard Disk Sentinel\HDSentinel.exeC:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exeC:\WINDOWS\Mixer.exeC:\Program Files\IVT Corporation\BlueSoleil\BtTray.exeC:\Program Files\Internet Download Manager\IDMan.exeC:\Program Files\RocketDock\RocketDock.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\WordWeb\wweb32.exeC:\Program Files\Sandboxie\SbieCtrl.exeC:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Launchy\Launchy.exeC:\Program Files\MagicDisc\MagicDisc.exeC:\Program Files\PC Connectivity Solution\ServiceLayer.exeC:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\PC Connectivity Solution\Transports\NclIVTBTSrv.exeC:\Program Files\Internet Download Manager\IEMonitor.exeC:\Program Files\Common Files\Teleca Shared\Generic.exeC:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\system32\svchost.exe -k DcomLaunchC:\WINDOWS\system32\svchost.exe -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupC:\WINDOWS\system32\svchost.exe -k NetworkServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\system32\svchost.exe -k netsvcs.============== Pseudo HJT Report ===============.BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dllBHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllBHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dlluRun: [iDMan] c:\program files\internet download manager\IDMan.exe /onbootuRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [WordWeb] "c:\program files\wordweb\wweb32.exe" -startupuRun: [sandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"uRun: [RockMelt Update] "c:\documents and settings\home\local settings\application data\rockmelt\update\RockMeltUpdate.exe" /cuRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytrayuRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgrounduRun: [MouseAround] c:\program files\mousearound\MouseAround.exe /AUTOSTARTuRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quietuRun: [epic] c:\program files\epic\epic.exeuRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\AxAutoMntSrv.exe" -automountmRun: [RTHDCPL] RTHDCPL.EXEmRun: [unlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservicemRun: [Hard Disk Sentinel] "c:\program files\hard disk sentinel\HDSentinel.exe" /AUTORUNmRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptionsmRun: [C-Media Mixer] Mixer.exe /startupmRun: [btTray] "c:\program files\ivt corporation\bluesoleil\BtTray.exe"StartupFolder: c:\docume~1\home\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exeStartupFolder: c:\docume~1\home\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exeuPolicies-Explorer: NoDriveTypeAutoRun = dword:323uPolicies-Explorer: NoDriveAutoRun = dword:67108863uPolicies-Explorer: NoDrives = dword:0mPolicies-Explorer: NoDriveTypeAutoRun = dword:323mPolicies-Explorer: NoDriveAutoRun = dword:67108863mPolicies-Explorer: NoDrives = dword:0mPolicies-Explorer: NoDriveTypeAutoRun = dword:323mPolicies-Explorer: NoDriveAutoRun = dword:67108863IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htmIE: Download with IDM - c:\program files\internet download manager\IEExt.htmIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: En&queue current page with BID - c:\program files\bulk image downloader\iemenu\iebidqueue.htmIE: Enqueue link tar&get with BID - c:\program files\bulk image downloader\iemenu\iebidlinkqueue.htmIE: Open &link target with BID - c:\program files\bulk image downloader\iemenu\iebidlink.htmIE: Open current page with BI&D - c:\program files\bulk image downloader\iemenu\iebid.htmIE: Open current page with BID Link Explorer - c:\program files\bulk image downloader\iemenu\iebidlinkexplorer.htmIE: Send by Bluetooth - c:\program files\ivt corporation\bluesoleil\transsend\ie\tsinfo.htmIE: Send via &Message... - c:\program files\ivt corporation\bluesoleil\transsend\ie\tssms.htmIE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeHandler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dllNotify: AtiExtEvent - Ati2evxx.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll.================= FIREFOX ===================.FF - ProfilePath - c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\FF - prefs.js: browser.startup.homepage - www.google.comFF - plugin: c:\documents and settings\home\local settings\application data\rockmelt\update\1.2.189.1\npRockMeltOneClick8.dllFF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dllFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\winamp detect\npwachk.dllFF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dllFF - ExtSQL: 2013-07-08 16:12; {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}.xpiFF - ExtSQL: 2013-07-12 13:23; multirevenue@googlemail.com; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\multirevenue@googlemail.com.xpiFF - ExtSQL: 2013-07-19 16:39; {9AA46F4F-4DC7-4c06-97AF-6665170634FE}; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\{9AA46F4F-4DC7-4c06-97AF-6665170634FE}.xpiFF - ExtSQL: 2013-07-21 08:45; draggablestar@sdrocking.com; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\draggablestar@sdrocking.com.xpiFF - ExtSQL: 2013-07-21 08:46; cam@sdrocking.com; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\cam@sdrocking.com.xpiFF - ExtSQL: 2013-07-21 08:47; better_url@sdrocking.com; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\better_url@sdrocking.com.xpiFF - ExtSQL: 2013-07-21 12:31; {3d7eb24f-2740-49df-8937-200b1cc08f8a}; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}FF - ExtSQL: 2013-07-21 12:31; thumbnailZoom@dadler.github.com; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\thumbnailZoom@dadler.github.com.xpiFF - ExtSQL: 2013-07-21 12:31; snaplinks@snaplinks.mozdev.org; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\snaplinks@snaplinks.mozdev.org.xpiFF - ExtSQL: 2013-07-21 12:31; client@anonymox.net; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\client@anonymox.net.xpiFF - ExtSQL: 2013-07-23 18:59; reloadplus@blackwind; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\reloadplus@blackwind.xpiFF - ExtSQL: 2013-07-23 19:03; {6BB5760D-F97E-421B-AF5B-8457A90C3CED}; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\{6BB5760D-F97E-421B-AF5B-8457A90C3CED}.xpiFF - ExtSQL: 2013-07-23 19:05; {ada4b710-8346-4b82-8199-5de2b400a6ae}; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}FF - ExtSQL: 2013-07-23 19:05; {0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\{0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}.xpiFF - ExtSQL: 2013-07-23 19:16; superstart@enjoyfreeware.org; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\superstart@enjoyfreeware.orgFF - ExtSQL: 2013-07-23 19:19; {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}FF - ExtSQL: 2013-08-15 22:51; jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack.xpiFF - ExtSQL: 2013-08-15 23:08; {46551EC9-40F0-4e47-8E18-8E5CF550CFB8}; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpiFF - ExtSQL: 2013-08-15 23:08; {1a5dabbd-0e74-41da-b532-a364bb552cab}; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\{1a5dabbd-0e74-41da-b532-a364bb552cab}.xpiFF - ExtSQL: 2013-08-15 23:11; privateTab@infocatcher; c:\documents and settings\home\application data\mozilla\firefox\profiles\nam2i820.default\extensions\privateTab@infocatcher.xpi.============= SERVICES / DRIVERS ===============.R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2011-12-21 20744]R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2012-7-5 41912]R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2013-1-10 122240]R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2013-1-15 118344]R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2013-3-21 1341664]R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2012-7-5 68832]R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-8-11 418376]R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\bin\TNSLSNR.EXE [2006-2-2 204800]R2 PanService;PandoraService;c:\program files\pandora.tv\panservice\PandoraService.exe [2012-7-5 578264]R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-11-22 3290304]R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-24 370688]R2 TorchCrashHandler;Torch Crash Handler;c:\documents and settings\home\local settings\application data\torch\update\TorchCrashHandler.exe [2013-7-20 1206624]R2 UDisk Monitor;UDisk Monitor;c:\program files\reliance netconnect\bin\MonServiceUDisk.exe [2012-7-5 512000]R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2011-12-21 30088]R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2010-4-6 26248]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-8-11 22856]R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2012-4-10 135440]R3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2012-7-10 87824]R3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2012-7-10 85696]S2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;c:\program files\alcohol soft\alcohol 120\AxAutoMntSrv.exe [2012-1-5 75624]S2 BsMobileCS;BsMobileCS;c:\program files\ivt corporation\bluesoleil\BsMobileCS.exe [2009-2-27 143467]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-8-11 701512]S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-1-8 161536]S3 becldr3Service;BCL EasyConverter SDK 3 Loader;c:\program files\bcl technologies\easyconverter sdk 3\common\becldr.exe [2011-4-19 176128]S3 BTCOM;Bluetooth Serial port driver; [x]S3 BTCOMBUS;Bluetooth Serial Port Bus Service; [x]S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-9-20 83168]S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2012-10-18 13224]S3 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\oracle.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-7-5 27064]S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2012-9-20 181344]S3 ssudserd;SAMSUNG Mobile USB Diagnostic Serial Port(DEVGURU Ver.);c:\windows\system32\drivers\ssudserd.sys [2012-9-20 181344]S3 Tomcat6;Apache Tomcat;c:\program files\apache software foundation\tomcat 6.0\bin\tomcat6.exe [2007-7-20 57344]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2012-7-5 105472]S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe XE [?]S4 OracleServiceORCL;OracleServiceORCL; [x].=============== File Associations ===============.ShellExec: Opera.exe: open="c:\program files\opera\Launcher.exe" "%1".=============== Created Last 30 ================.2013-08-16 08:56:47 -------- d-sha-r- C:\cmdcons2013-08-16 08:47:06 98816 ----a-w- c:\windows\sed.exe2013-08-16 08:47:06 256000 ----a-w- c:\windows\PEV.exe2013-08-16 08:47:06 208896 ----a-w- c:\windows\MBR.exe2013-08-15 14:05:48 -------- d-----w- c:\documents and settings\all users\application data\TorchCrashHandler2013-08-15 14:00:58 -------- d-----w- c:\documents and settings\home\local settings\application data\Torch2013-08-11 04:34:24 -------- d-----w- c:\documents and settings\home\application data\Malwarebytes2013-08-11 04:34:04 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes2013-08-11 04:33:59 22856 ----a-w- c:\windows\system32\drivers\mbam.sys2013-08-11 04:33:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2013-08-11 03:02:47 -------- d-----w- c:\documents and settings\home\local settings\application data\Epic2013-08-11 03:02:47 -------- d-----w- c:\documents and settings\home\application data\Epic2013-08-11 03:02:23 -------- d-----w- c:\program files\Epic2013-08-07 13:38:29 -------- d-----w- c:\documents and settings\home\local settings\application data\Opera Software2013-08-07 13:38:23 -------- d-----w- c:\documents and settings\home\application data\Opera Software2013-08-07 11:19:55 262552 ----a-w- c:\program files\mozilla firefox\browser\components\browsercomps.dll2013-08-05 10:24:49 -------- d-----w- c:\documents and settings\all users\application data\VS Revo Group2013-07-24 02:49:36 -------- d-----w- c:\program files\RF ToolBox2013-07-18 09:40:40 13312 ----a-w- c:\windows\system32\borlndmm.dll2013-07-18 09:40:12 -------- d-----w- c:\program files\LifeSignMini2013-07-18 09:40:12 -------- d-----w- c:\documents and settings\home\application data\LifeSignMini.==================== Find3M ====================.2013-07-20 17:48:52 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe2013-07-20 17:48:51 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-06-27 09:57:42 118344 ----a-w- c:\windows\system32\drivers\idmtdi.sys2013-05-21 08:49:42 98304 ----a-w- c:\windows\DUMP5311.tmp2013-05-20 15:37:52 98304 ----a-w- c:\windows\DUMP46ad.tmp.============= FINISH: 18:41:10.18 =============== Attach.txt .UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows XP ProfessionalBoot Device: \Device\HarddiskVolume1Install Date: 5/7/2005 8:54:05 PMSystem Uptime: 8/16/2013 6:24:24 PM (0 hours ago).Motherboard: Intel Corporation | | D101GGC Processor: Intel® Pentium® 4 CPU 3.06GHz | Socket 775 | 3066/133mhz.==== Disk Partitions =========================.A: is RemovableC: is FIXED (NTFS) - 29 GiB total, 6.287 GiB free.D: is FIXED (NTFS) - 29 GiB total, 5.749 GiB free.E: is FIXED (NTFS) - 407 GiB total, 49.089 GiB free.F: is FIXED (NTFS) - 16 GiB total, 1.761 GiB free.G: is CDROM ()I: is FIXED (NTFS) - 59 GiB total, 4.926 GiB free..==== Disabled Device Manager Items =============.Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}Description: Realtek RTL8139 Family PCI Fast Ethernet NICDevice ID: PCI\VEN_10EC&DEV_8139&SUBSYS_D6008086&REV_10\4&FB75CB&0&10A4Manufacturer: RealtekName: Realtek RTL8139 Family PCI Fast Ethernet NIC #2PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_D6008086&REV_10\4&FB75CB&0&10A4Service: rtl8139.Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}Description: Bluetooth PAN Network AdapterDevice ID: {F12D3CF8-B11D-457E-8641-BE2AF2D6D204}\IVTBTPAN\1&21CCD16&0&0000Manufacturer: IVT CorporationName: Bluetooth PAN Network AdapterPNP Device ID: {F12D3CF8-B11D-457E-8641-BE2AF2D6D204}\IVTBTPAN\1&21CCD16&0&0000Service: BT.Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}Description: C2-03Device ID: ROOT\WPD\0000Manufacturer: NokiaName: C2-03PNP Device ID: ROOT\WPD\0000Service: WUDFRd.==== System Restore Points ===================.RP364: 6/12/2013 8:42:41 PM - Installed ESET Smart SecurityRP365: 6/12/2013 8:42:41 PM - Revo Uninstaller Pro's restore point - ESET Smart SecurityRP366: 6/12/2013 8:58:25 PM - Removed ESET Smart SecurityRP367: 6/12/2013 8:58:26 PM - Installed ESET Smart SecurityRP368: 6/12/2013 8:58:27 PM - Revo Uninstaller Pro's restore point - ESET Smart SecurityRP369: 6/19/2013 4:56:25 PM - Removed ESET Smart SecurityRP370: 6/19/2013 4:56:25 PM - Installed ESET Smart SecurityRP371: 6/19/2013 4:56:25 PM - System CheckpointRP372: 6/19/2013 4:56:26 PM - System CheckpointRP373: 6/19/2013 4:56:26 PM - System CheckpointRP374: 6/19/2013 4:56:26 PM - System CheckpointRP375: 6/24/2013 11:33:39 AM - System CheckpointRP376: 6/24/2013 11:33:40 AM - System CheckpointRP377: 6/24/2013 11:33:40 AM - System CheckpointRP378: 6/24/2013 11:33:40 AM - System CheckpointRP379: 7/6/2013 5:56:40 PM - System CheckpointRP380: 7/6/2013 5:56:41 PM - System CheckpointRP381: 7/6/2013 5:56:42 PM - System CheckpointRP382: 7/6/2013 5:56:43 PM - System CheckpointRP383: 7/6/2013 5:56:43 PM - System CheckpointRP384: 7/6/2013 5:56:43 PM - System CheckpointRP385: 7/6/2013 5:56:44 PM - System CheckpointRP386: 7/6/2013 5:56:44 PM - System CheckpointRP387: 7/6/2013 5:56:45 PM - System CheckpointRP388: 7/15/2013 4:34:01 PM - System CheckpointRP389: 7/15/2013 4:34:01 PM - System CheckpointRP390: 7/15/2013 4:34:02 PM - System CheckpointRP391: 7/15/2013 4:34:02 PM - System CheckpointRP392: 7/15/2013 4:34:03 PM - System CheckpointRP393: 7/15/2013 4:34:03 PM - System CheckpointRP394: 7/22/2013 11:08:20 AM - System CheckpointRP395: 7/22/2013 11:08:20 AM - System CheckpointRP396: 7/22/2013 11:08:21 AM - System CheckpointRP397: 7/22/2013 11:08:21 AM - System CheckpointRP398: 7/22/2013 11:08:21 AM - Revo Uninstaller Pro's restore point - Google ChromeRP399: 7/29/2013 3:28:35 PM - System CheckpointRP400: 7/29/2013 3:28:35 PM - System CheckpointRP401: 7/29/2013 3:28:36 PM - System CheckpointRP402: 7/29/2013 3:28:36 PM - System CheckpointRP403: 7/29/2013 3:28:36 PM - System CheckpointRP404: 8/3/2013 6:05:13 PM - System CheckpointRP405: 8/3/2013 6:05:13 PM - System CheckpointRP406: 8/3/2013 6:05:14 PM - System CheckpointRP407: 8/7/2013 12:49:35 PM - System CheckpointRP408: 8/7/2013 12:49:36 PM - System CheckpointRP409: 8/6/2013 11:19:27 AM - System CheckpointRP410: 8/7/2013 1:11:13 PM - System CheckpointRP411: 8/8/2013 6:24:13 PM - System CheckpointRP412: 8/9/2013 7:29:17 PM - System CheckpointRP413: 8/10/2013 12:49:21 PM - AVG Regisry Defrag - before defragmentationRP414: 8/11/2013 8:30:52 AM - Revo Uninstaller Pro's restore point - Epic 1.9.7RP415: 8/11/2013 10:02:20 AM - Revo Uninstaller Pro's restore point - SUPERAntiSpywareRP416: 8/13/2013 10:10:53 AM - System CheckpointRP417: 8/14/2013 11:00:11 AM - System CheckpointRP418: 8/16/2013 2:17:23 PM - ComboFix created restore point.==== Installed Programs ======================.µTorrent7 Sticky NotesAdobe Flash Player 11 ActiveXAdobe Flash Player 11 PluginAngry BirdsAngry Birds RioAngry Birds SeasonsApache Tomcat 6.0 (remove only)Apache Tomcat 6.0.26Astro-Vision LifeSign Mini version 1.0.5.0ATI Display DriverAVG PC TuneupBaraha 10.8BCL easyConverter 3.0 Licensing Module (BCL License)BCL easyConverter 3.0 Loader SDK ModuleBCL easyConverter 3.0 Module (Loader, BCL License)BCL easyConverter 3.0 Module (RTF, BCL License)BCL easyConverter 3.0 RTF SDK ModuleBCL easyConverter 3.0 SDK ModuleBluesoleil 6.4.249.0BS.Player PROBulk Image Downloader v4.21.0.0BurstCopy v2.700C-Media PCI Audio DriverCamStudioCCleanerDexpotDFXDriver Genius Professional EditionEpic 1.9.9.1ESET Smart SecurityFastStone Image Viewer 4.2floAt's Mobile AgentFoxit Advanced PDF Editor 3Foxit ReaderGame BoosterGlassFish Server Open Source Edition 3.0.1Google ChromeHandBrake 0.9.8Hard Disk Low Level Format Tool 2.36 build 1181Hard Disk Sentinel PROHide Folders 2009 3.6Horoscope Explorer Pro 3.81HP USB Disk Storage Format TooliCF Skin PackiColorFolderImgBurnInternet Download ManagerJava Auto UpdaterJava DB 10.5.3.0Java 6 Update 22Java SE Development Kit 6 Update 22K-Lite Codec Pack 6.5.0 (Full)Launchy 2.5Magic ISO Maker v5.5 (build 0281)MagicDisc 2.7.106Malwarebytes Anti-Malware version 1.75.0.1300Microsoft .NET Framework 2.0Microsoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 ExtendedMicrosoft Compression Client Pack 1.0 for Windows XPMicrosoft DirectX Transform optional componentsMicrosoft Kernel-Mode Driver Framework Feature Pack 1.9Microsoft Office Access MUI (English) 2007Microsoft Office Access Setup Metadata MUI (English) 2007Microsoft Office Enterprise 2007Microsoft Office Excel MUI (English) 2007Microsoft Office Groove MUI (English) 2007Microsoft Office Groove Setup Metadata MUI (English) 2007Microsoft Office InfoPath MUI (English) 2007Microsoft Office OneNote MUI (English) 2007Microsoft Office Outlook MUI (English) 2007Microsoft Office PowerPoint MUI (English) 2007Microsoft Office Proof (English) 2007Microsoft Office Proof (French) 2007Microsoft Office Proof (Spanish) 2007Microsoft Office Proofing (English) 2007Microsoft Office Publisher MUI (English) 2007Microsoft Office Shared MUI (English) 2007Microsoft Office Shared Setup Metadata MUI (English) 2007Microsoft Office Word MUI (English) 2007Microsoft Software Update for Web Folders (English) 12Microsoft User-Mode Driver Framework Feature Pack 1.9Microsoft Visual C++ 2005 Redistributable - KB2467175Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319Microsoft_VC100_CRT_SP1_x86MobTime Cell Phone Manager V6.6.5MouseAroundMozilla Firefox 23.0 (x86 en-US)Mozilla Maintenance ServiceMP3 To Ringtone Gold 8.7MSVC80_x86MSVC80_x86_v2MSVC90_x86MSXML 4.0 SP2 Parser and SDKMyPhoneExplorerNetBeans IDE 6.9.1Nokia Connectivity Cable DriverNokia PC SuiteNotepad++Omnius for SE v1.38Opera 12.11Opera Stable 15.0.1147.153Opti Drive Control 1.70Oracle Data Provider for .NET HelpOracle Database 10g Express EditionPandora ServicePC Connectivity SolutionPCI Audio DriverPDF2Word Converter Version 1.0.8 (Build 164)Pdf995PdfEdit995RAR Recovery Toolbox 1.1REALTEK Gigabit and Fast Ethernet NIC DriverRealtek High Definition Audio DriverReliance NetconnectRevo Uninstaller Pro 3.0.5RF ToolBox 3.9.0RocketDock 1.3.5RockMeltSandboxie 3.68 (32-bit)Skype Click to CallSkype™ 6.1Sony Ericsson PC SuiteSony Ericsson Update ServiceTeraCopy 2.27The KMPlayer (remove only)TorchTotal Video Converter 3.71 100812Unlocker 1.9.2VeryPDF PDF2Word v3.0VLC media player 2.0.7VSO Inspector 2.0.2WebFldrs XPWinampWinamp Detector Plug-inWindows Driver Package - Nokia Modem (06/01/2009 4.1)Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.3)Windows Driver Package - Nokia pccsmcfd “LegacyDriver” (05/31/2012 7.1.2.0)Windows Internet Explorer 8Windows Media Format 11 runtimeWindows Media Player 11WinRAR 4.20WordWeb ProYahoo! Messenger.==== Event Viewer Messages From Past Week ========.8/16/2013 6:27:04 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service BsMobileCS with arguments "-Service" in order to run the server: {5408AB86-5A2A-4BC5-A406-A0E805A8BF93}8/16/2013 6:26:31 PM, error: Service Control Manager [7022] - The PandoraService service hung on starting.8/16/2013 2:54:23 PM, error: PlugPlayManager [11] - The device Root\LEGACY_UNLOCKERDRIVER5\0000 disappeared from the system without first being prepared for removal.8/16/2013 2:42:27 PM, error: Service Control Manager [7034] - The UDisk Monitor service terminated unexpectedly. It has done this 1 time(s).8/16/2013 2:42:27 PM, error: Service Control Manager [7034] - The OracleXETNSListener service terminated unexpectedly. It has done this 1 time(s).8/16/2013 2:16:29 PM, error: Service Control Manager [7034] - The Torch Crash Handler service terminated unexpectedly. It has done this 1 time(s).8/16/2013 2:16:29 PM, error: Service Control Manager [7034] - The Skype C2C Service service terminated unexpectedly. It has done this 1 time(s).8/16/2013 2:05:57 PM, error: Srv [2000] - The server's call to a system service failed unexpectedly.8/16/2013 2:03:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the BsMobileCS service to connect.8/16/2013 2:03:07 PM, error: Service Control Manager [7000] - The BsMobileCS service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion..==== End Of File =========================== Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 17, 2013 Root Admin ID:716268 Share Posted August 17, 2013 Actually yes you should keep MSDIAG in Normal Mode otherwise you can't use it as a Diagnostic tool which is what its for. You should uninstall any programs you no longer want or use or use a program like Microsoft AutoRuns to manage start up items. There is also a program called WinPatrol that can monitor start up items if wanted. http://www.winpatrol.com/startup.html Where are the logs from steps 3 and 4 the JRT and AdwCleaner logs? Link to post Share on other sites More sharing options...
anonymouss Posted August 17, 2013 Author ID:716316 Share Posted August 17, 2013 i followed remaining steps but why some files were deleted rkill,txt logs Rkill 2.6.0 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/Copyright 2008-2013 BleepingComputer.comMore Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.htmlProgram started at: 08/17/2013 01:35:03 PM in x86 mode.Windows Version: Microsoft Windows XP Service Pack 3Checking for Windows services to stop: * No malware services found to stop.Checking for processes to terminate: * C:\Documents and Settings\Honey\Local Settings\Application Data\Torch\Update\TorchCrashHandler.exe (PID: 1232) [uP-HEUR]1 proccess terminated!Checking Registry for malware related settings: * No issues found in the Registry.Resetting .EXE, .COM, & .BAT associations in the Windows Registry.Performing miscellaneous checks: * Windows Firewall Disabled [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = dword:00000000 * Reparse Point/Junctions Found (Most likely legitimate)! * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir] * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]Checking Windows Service Integrity: * No issues found.Searching for Missing Digital Signatures: * No issues found.Checking HOSTS File: * HOSTS file entries found: 127.0.0.1 localhostProgram finished at: 08/17/2013 01:36:15 PMExecution time: 0 hours(s), 1 minute(s), and 12 seconds(s) then i backed up the registry roguekiller logs RogueKiller V8.6.5 [Aug 5 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits versionStarted in : Normal modeUser : Honey [Admin rights]Mode : Scan -- Date : 08/17/2013 13:41:44| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 7 ¤¤¤[DNS] HKLM\[...]\CS003\[...]\{014B0BBC-01F9-4E7A-90FB-408F484BD27C} : NameServer (202.148.200.3 202.148.202.4) -> FOUND[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [LOADED] ¤¤¤[inline] SSDT[199] : NtRequestPort @ 0x805A2A2E -> HOOKED (Unknown @ 0xF7B03CA0)[inline] SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D5A -> HOOKED (Unknown @ 0xF7B03D40)[inline] SSDT[260] : NtTraceEvent @ 0x805350F8 -> HOOKED (Unknown @ 0xF7B03C00)¤¤¤ External Hives: ¤¤¤-> F:\windows\system32\config\SYSTEM | DRVINFO [Drv - F:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - FOUND]-> F:\windows\system32\config\SOFTWARE | DRVINFO [Drv - F:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - FOUND]-> F:\windows\system32\config\SECURITY | DRVINFO [Drv - F:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - FOUND]-> F:\windows\system32\config\SAM | DRVINFO [Drv - F:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - FOUND]-> F:\windows\system32\config\DEFAULT | DRVINFO [Drv - F:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - FOUND]-> F:\Documents and Settings\Administrator\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]-> F:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - FOUND]-> F:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - FOUND]-> F:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - FOUND]¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts127.0.0.1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: ST3500413AS +++++--- User ---[MBR] 8efe1fe4e20e5cbc8ef1b6b8db883562[bSP] da5e4b677720e8295d03eab107eff36f : Windows XP MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 29996 Mo1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 61432560 | Size: 446933 MoUser = LL1 ... OK!User = LL2 ... OK!+++++ PhysicalDrive1: ST3500413AS +++++--- User ---[MBR] 2e19c06bfc5c279b0e3a17936ac0c36e[bSP] fc26e282496cb9ff8c896a38cac65fed : Windows XP MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 60008 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 122897250 | Size: 16308 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[0]_S_08172013_134144.txt >>adwcleaner logs # AdwCleaner v2.306 - Logfile created 08/17/2013 at 13:44:01# Updated 19/07/2013 by Xplode# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)# User : Honey - SSRK# Boot Mode : Normal# Running from : C:\Documents and Settings\Honey\My Documents\Downloads\Programs\AdwCleaner_2.exe# Option [Delete]***** [services] ********** [Files / Folders] *****Folder Deleted : C:\Documents and Settings\Honey\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\jetpackFolder Deleted : C:\Documents and Settings\Honey\Local Settings\Application Data\AskToolbarFolder Deleted : C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}***** [Registry] *****Key Deleted : HKCU\Software\APNKey Deleted : HKCU\Software\APN PIPKey Deleted : HKCU\Software\AppDataLow\Software\SmartBarKey Deleted : HKCU\Software\Ask.comKey Deleted : HKCU\Software\AskToolbarKey Deleted : HKCU\Software\ConduitKey Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKLM\Software\APNKey Deleted : HKLM\Software\AskToolbarKey Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLLKey Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}***** [internet Browsers] *****-\\ Internet Explorer v8.0.6001.18702[OK] Registry is clean.-\\ Mozilla Firefox v23.0 (en-US)File : C:\Documents and Settings\Honey\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\prefs.js[OK] File is clean.-\\ Google Chrome v28.0.1500.95File : C:\Documents and Settings\Honey\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences[OK] File is clean.-\\ Opera v12.11.1661.0File : C:\Documents and Settings\Honey\Application Data\Opera\Opera\operaprefs.ini[OK] File is clean.*************************AdwCleaner[s2].txt - [3060 octets] - [17/08/2013 13:44:01]########## EOF - C:\AdwCleaner[s2].txt - [3120 octets] ########## junkware logs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 5.4.6 (08.15.2013:1)OS: Microsoft Windows XP x86Ran by Honey on Sat 08/17/2013 at 13:51:51.92~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Services~~~ Registry ValuesSuccessfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayNameSuccessfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL~~~ Registry KeysSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\torchSuccessfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\torch~~~ FilesSuccessfully deleted: [File] "C:\WINDOWS\wininit.ini"~~~ FoldersSuccessfully deleted: [Folder] "C:\Documents and Settings\Honey\Local Settings\Application Data\torch"Successfully deleted: [Folder] "C:\Program Files\driver-soft"~~~ FireFoxSuccessfully deleted the following from C:\Documents and Settings\Honey\Application Data\mozilla\firefox\profiles\nam2i820.default\prefs.js~~~ ChromeSuccessfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\kiplfnciaokpcennlkldkdaeaaomamof~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Sat 08/17/2013 at 14:03:30.17End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 18, 2013 Root Admin ID:716650 Share Posted August 18, 2013 Some of these programs delete what they see as redundant or undesirable files. Sometimes there are backups but in most cases these files really are not needed. Please go ahead and run MBAM and check for updates and then do a Quick Scan and post back the new log. So far I've not seen anything major on the system - just typical junk that most computers seem to get sooner or later while surfing the Web and these tools clean those things up for us. Link to post Share on other sites More sharing options...
anonymouss Posted August 18, 2013 Author ID:716720 Share Posted August 18, 2013 actually after completing above process,some of programs are not working and browsers are opening as a fresh window ie options are changed and restore sessions are gone,2 days back i installed torch browser but now its not opening, .exe file is gone,can i take back dfx file in quarantine which i already gave link which is scaned in virustotal.how to solve above problems. newly updated and scaned Malwarebytes Anti-Malware (PRO) 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.08.18.01Windows XP Service Pack 3 x86 NTFSInternet Explorer 8.0.6001.18702Home :: System [administrator]Protection: Disabled8/18/2013 4:49:11 PMMBAM-log-2013-08-18 (16-57-25).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 280229Time elapsed: 7 minute(s), 59 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 1HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 18, 2013 Root Admin ID:716978 Share Posted August 18, 2013 Yes you can restore the file or download it and install it again. Please visit this site and restore Firefox back to the factory default settings.Restore Firefox Default Settings Without Uninstalling It Let me know how that works Link to post Share on other sites More sharing options...
anonymouss Posted August 19, 2013 Author ID:717138 Share Posted August 19, 2013 Yes you can restore the file or download it and install it again. Please visit this site and restore Firefox back to the factory default settings.Restore Firefox Default Settings Without Uninstalling It Let me know how that worksok , i will check it,yeah i restored,still pc is infected ,the infection is not clear Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 19, 2013 Root Admin ID:717142 Share Posted August 19, 2013 No, what I wanted was to have you reset Firefox only. Then let me know if it can browse again or not. Please visit this webpage and read the ComboFix User's Guide:Once you've read the article and are ready to use the program you can download it directly from the link below. Important! - Please make sure you save combofix to your desktop and do not run it from your browser Direct download link for: ComboFix.exe Please make sure you disable your security applications before running ComboFix. Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load. Please attach that log file to your next reply. If needed the file can be located here: C:\combofix.txt NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer. Link to post Share on other sites More sharing options...
anonymouss Posted August 19, 2013 Author ID:717301 Share Posted August 19, 2013 No, what I wanted was to have you reset Firefox only. Then let me know if it can browse again or not. Please visit this webpage and read the ComboFix User's Guide:Once you've read the article and are ready to use the program you can download it directly from the link below.Important! - Please make sure you save combofix to your desktop and do not run it from your browserDirect download link for: ComboFix.exePlease make sure you disable your security applications before running ComboFix.Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.Please attach that log file to your next reply.If needed the file can be located here: C:\combofix.txtNOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer. some addons were deleted,why it was happened,i have session manager,so i restored previous session,i already posted combofix logs Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 19, 2013 Root Admin ID:717390 Share Posted August 19, 2013 I'm sorry but we're trying to assist you in detecting and cleaning malware and not in how to keep your system preferences saved. If that is your sole concern then we probably will not be able to assist you. The main issue you opened the topic for I believe I have explained but I'll say again. It is just a basic setting in the Registry that we detected as not being the default settings. There are programs or valid reasons why it would have been changed, but there are also many infections that also use this tactic to work on infecting your system. If you made the change and want to keep it then simply place that entry on the Ignore list. If you did not make it then you may want to have MBAM fix it and then it should not return unless something again changes it back. At this time as I've also said your computer does not appear to have an infection (at least not one that is apparent) if you feel comfortable that the system is now clean then we can end the scanning here and clean up the tools used, just let me know please. Thank you Link to post Share on other sites More sharing options...
anonymouss Posted August 20, 2013 Author ID:717583 Share Posted August 20, 2013 I'm sorry but we're trying to assist you in detecting and cleaning malware and not in how to keep your system preferences saved. If that is your sole concern then we probably will not be able to assist you. The main issue you opened the topic for I believe I have explained but I'll say again. It is just a basic setting in the Registry that we detected as not being the default settings. There are programs or valid reasons why it would have been changed, but there are also many infections that also use this tactic to work on infecting your system. If you made the change and want to keep it then simply place that entry on the Ignore list. If you did not make it then you may want to have MBAM fix it and then it should not return unless something again changes it back. At this time as I've also said your computer does not appear to have an infection (at least not one that is apparent) if you feel comfortable that the system is now clean then we can end the scanning here and clean up the tools used, just let me know please. Thank youok i understand, i just want to clarity and want to know thats all,some icons also changed,but i found while scanning mbam detects pum.hijack.startmenu,ok continue the process to remove this(it it is malware),can i scan again with combofix to post logs or can i post previous logs which posted in 1st page Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 20, 2013 Root Admin ID:717603 Share Posted August 20, 2013 You need to delete your current copy of combofix and download a new fresh copy and then run it and post back the new log please. I don't expect it to find much of anything but we can certainly check on the outcome. Thanks Link to post Share on other sites More sharing options...
anonymouss Posted August 20, 2013 Author ID:717676 Share Posted August 20, 2013 You need to delete your current copy of combofix and download a new fresh copy and then run it and post back the new log please.I don't expect it to find much of anything but we can certainly check on the outcome.Thankshere new combofix logs.txt ComboFix 13-08-19.02 - home 08/20/2013 15:36:37.2.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.46 [GMT 5.5:30]Running from: c:\documents and settings\home\Desktop\ComboFix.exeAV: AntiVir Desktop *Enabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}AV: avast! antivirus 4.8.1335 [VPS 090510-0] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}AV: ESET Smart Security 6.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\All Users\Application Data\TEMP..((((((((((((((((((((((((( Files Created from 2013-07-20 to 2013-08-20 )))))))))))))))))))))))))))))))..2013-08-17 08:21 . 2013-08-17 08:21 -------- d-----w- c:\windows\ERUNT2013-08-17 08:07 . 2013-08-17 08:07 -------- d-----w- c:\program files\ERUNT2013-08-15 14:05 . 2013-08-17 08:17 -------- d-----w- c:\documents and settings\All Users\Application Data\TorchCrashHandler2013-08-11 04:34 . 2013-08-11 04:34 -------- d-----w- c:\documents and settings\home\Application Data\Malwarebytes2013-08-11 04:34 . 2013-08-11 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2013-08-11 04:33 . 2013-08-11 04:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2013-08-11 04:33 . 2013-04-04 09:20 22856 ----a-w- c:\windows\system32\drivers\mbam.sys2013-08-11 03:02 . 2013-08-11 03:02 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\Epic2013-08-11 03:02 . 2013-08-11 03:02 -------- d-----w- c:\documents and settings\home\Application Data\Epic2013-08-11 03:02 . 2013-08-11 03:02 -------- d-----w- c:\program files\Epic2013-08-07 13:38 . 2013-08-07 13:38 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\Opera Software2013-08-07 13:38 . 2013-08-07 13:38 -------- d-----w- c:\documents and settings\home\Application Data\Opera Software2013-08-05 10:24 . 2013-08-05 10:24 -------- d-----w- c:\documents and settings\All Users\Application Data\VS Revo Group2013-07-24 02:49 . 2013-07-24 02:49 -------- d-----w- c:\program files\RF ToolBox...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-07-20 17:48 . 2012-07-05 16:32 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe2013-07-20 17:48 . 2012-07-05 16:32 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-06-27 09:57 . 2013-01-15 02:10 118344 ----a-w- c:\windows\system32\drivers\idmtdi.sys..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]2012-11-15 23:07 21904 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2013-08-07 3665488]"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RTHDCPL"="RTHDCPL.EXE" [2005-10-15 14864384]"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2013-03-21 5078504]"Hard Disk Sentinel"="c:\program files\Hard Disk Sentinel\HDSentinel.exe" [2013-07-19 4341904]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]"C-Media Mixer"="Mixer.exe" [2002-07-12 1581056].[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fsproflt]@="Service".[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver".[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]@="Service".[HKLM\~\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]path=c:\documents and settings\home\Start Menu\Programs\Startup\ERUNT AutoBackup.lnkbackup=c:\windows\pss\ERUNT AutoBackup.lnkStartup.[HKLM\~\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^Launchy.lnk]path=c:\documents and settings\home\Start Menu\Programs\Startup\Launchy.lnkbackup=c:\windows\pss\Launchy.lnkStartup.[HKLM\~\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^MagicDisc.lnk]path=c:\documents and settings\home\Start Menu\Programs\Startup\MagicDisc.lnkbackup=c:\windows\pss\MagicDisc.lnkStartup.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]2012-01-05 15:42 75624 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]2009-02-27 11:34 278016 ----a-w- c:\program files\IVT Corporation\BlueSoleil\BtTray.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\epic]2013-02-05 18:33 73216 ----a-w- c:\program files\Epic\epic.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]2011-08-21 19:48 6276408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MouseAround]2001-12-11 18:04 151552 ----a-w- c:\program files\MouseAround\MouseAround.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]2009-06-25 09:42 1414144 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RockMelt Update]2012-09-11 13:34 136336 ----atw- c:\documents and settings\home\Local Settings\Application Data\RockMelt\Update\RockMeltUpdate.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]2012-04-10 10:17 452880 ----a-w- c:\program files\Sandboxie\SbieCtrl.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]2007-03-27 19:37 593920 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WordWeb]2009-11-08 17:48 65216 ------w- c:\program files\WordWeb\wweb32.exe.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0).[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\WINDOWS\\system32\\muzapp.exe"="c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"="c:\\Program Files\\Winamp\\winamp.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"="d:\\Arun pendrive\\eclipse\\eclipse-jee-galileo-SR1-win32\\eclipse\\eclipse.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\Opera\\opera.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Program Files\\PANDORA.TV\\PanService\\PandoraService.exe"=.R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [12/21/2011 2:47 PM 20744]R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [7/5/2012 11:43 PM 41912]R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [1/10/2013 3:08 PM 122240]R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [1/15/2013 7:40 AM 118344]R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [3/21/2013 3:19 PM 1341664]R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [7/5/2012 11:43 PM 68832]R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [8/11/2013 10:04 AM 418376]R2 PanService;PandoraService;c:\program files\PANDORA.TV\PanService\PandoraService.exe [7/5/2012 11:41 PM 578264]R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [12/21/2011 2:47 PM 30088]R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [4/6/2010 6:32 PM 26248]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/11/2013 10:03 AM 22856]R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [1/4/2013 3:25 PM 47360]R3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [7/10/2012 1:47 PM 87824]R3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [7/10/2012 1:47 PM 85696]S2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe [1/5/2012 9:12 PM 75624]S2 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2/27/2009 4:40 PM 143467]S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/11/2013 10:04 AM 701512]S2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2/2/2006 12:49 AM 204800]S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [11/22/2012 10:29 AM 3290304]S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1/8/2013 12:55 PM 161536]S2 TorchCrashHandler;Torch Crash Handler;c:\documents and settings\home\Local Settings\Application Data\Torch\Update\TorchCrashHandler.exe --> c:\documents and settings\home\Local Settings\Application Data\Torch\Update\TorchCrashHandler.exe [?]S2 UDisk Monitor;UDisk Monitor;c:\program files\Reliance Netconnect\bin\MonServiceUDisk.exe [7/5/2012 10:17 PM 512000]S3 becldr3Service;BCL EasyConverter SDK 3 Loader;c:\program files\BCL Technologies\easyConverter SDK 3\Common\becldr.exe [4/19/2011 6:05 PM 176128]S3 BTCOM;Bluetooth Serial port driver; [x]S3 BTCOMBUS;Bluetooth Serial Port Bus Service; [x]S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [9/20/2012 10:05 AM 83168]S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [10/18/2012 12:33 PM 13224]S3 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [7/5/2012 10:10 PM 27064]S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [9/20/2012 10:05 AM 181344]S3 ssudserd;SAMSUNG Mobile USB Diagnostic Serial Port(DEVGURU Ver.);c:\windows\system32\drivers\ssudserd.sys [9/20/2012 10:05 AM 181344]S3 Tomcat6;Apache Tomcat;c:\program files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe [7/20/2007 7:50 AM 57344]S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [7/5/2012 10:17 PM 105472]S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]S4 OracleServiceORCL;OracleServiceORCL; [x].--- Other Services/Drivers In Memory ---.*Deregistered* - SASKUTIL.Contents of the 'Scheduled Tasks' folder.2013-08-18 c:\windows\Tasks\RockMeltUpdateTaskUserS-1-5-21-2025429265-484763869-515967899-1003Core.job- c:\documents and settings\home\Local Settings\Application Data\RockMelt\Update\RockMeltUpdate.exe [2012-09-11 13:34].2013-08-20 c:\windows\Tasks\RockMeltUpdateTaskUserS-1-5-21-2025429265-484763869-515967899-1003UA.job- c:\documents and settings\home\Local Settings\Application Data\RockMelt\Update\RockMeltUpdate.exe [2012-09-11 13:34]..------- Supplementary Scan -------.IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htmIE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htmIE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htmFF - ProfilePath - c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\FF - prefs.js: browser.startup.homepage - www.google.comFF - ExtSQL: 2013-07-08 16:12; {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}.xpiFF - ExtSQL: 2013-07-12 13:23; multirevenue@googlemail.com; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\multirevenue@googlemail.com.xpiFF - ExtSQL: 2013-07-19 16:39; {9AA46F4F-4DC7-4c06-97AF-6665170634FE}; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\{9AA46F4F-4DC7-4c06-97AF-6665170634FE}.xpiFF - ExtSQL: 2013-07-21 08:45; draggablestar@sdrocking.com; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\draggablestar@sdrocking.com.xpiFF - ExtSQL: 2013-07-21 08:46; cam@sdrocking.com; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\cam@sdrocking.com.xpiFF - ExtSQL: 2013-07-21 08:47; better_url@sdrocking.com; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\better_url@sdrocking.com.xpiFF - ExtSQL: 2013-07-21 12:31; {3d7eb24f-2740-49df-8937-200b1cc08f8a}; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}FF - ExtSQL: 2013-07-21 12:31; thumbnailZoom@dadler.github.com; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\thumbnailZoom@dadler.github.com.xpiFF - ExtSQL: 2013-07-21 12:31; snaplinks@snaplinks.mozdev.org; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\snaplinks@snaplinks.mozdev.org.xpiFF - ExtSQL: 2013-07-21 12:31; client@anonymox.net; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\client@anonymox.net.xpiFF - ExtSQL: 2013-07-23 18:59; reloadplus@blackwind; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\reloadplus@blackwind.xpiFF - ExtSQL: 2013-07-23 19:03; {6BB5760D-F97E-421B-AF5B-8457A90C3CED}; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\{6BB5760D-F97E-421B-AF5B-8457A90C3CED}.xpiFF - ExtSQL: 2013-07-23 19:05; {ada4b710-8346-4b82-8199-5de2b400a6ae}; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}FF - ExtSQL: 2013-07-23 19:05; {0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\{0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}.xpiFF - ExtSQL: 2013-07-23 19:16; superstart@enjoyfreeware.org; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\superstart@enjoyfreeware.orgFF - ExtSQL: 2013-07-23 19:19; {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}FF - ExtSQL: 2013-08-15 22:51; jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack.xpiFF - ExtSQL: 2013-08-15 23:08; {46551EC9-40F0-4e47-8E18-8E5CF550CFB8}; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpiFF - ExtSQL: 2013-08-15 23:08; {1a5dabbd-0e74-41da-b532-a364bb552cab}; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\{1a5dabbd-0e74-41da-b532-a364bb552cab}.xpiFF - ExtSQL: 2013-08-15 23:11; privateTab@infocatcher; c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\nam2i820.default\extensions\privateTab@infocatcher.xpi.- - - - ORPHANS REMOVED - - - -.AddRemove-Driver Genius Professional Edition_is1 - c:\program files\Driver-Soft\DriverGenius\unins000.exeAddRemove-Torch - c:\documents and settings\home\Local Settings\Application Data\Torch\uninstall.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2013-08-20 15:50Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ....scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\S-1-5-21-2025429265-484763869-515967899-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1B620650-0354-F69B-E7BD-75AAE2E4C99F}*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode).[HKEY_USERS\S-1-5-21-2025429265-484763869-515967899-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{32B23C69-15C1-2347-9C03-2560519B1340}*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode).[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]@Denied: (Full) (Everyone)"scansk"=hex(0):b9,58,55,c5,88,9c,1e,09,51,e0,cc,8f,60,66,a7,22,f4,3d,e9,7f,01, 0d,d1,e7,c4,75,e0,1b,f1,d1,91,01,87,60,86,c1,a4,ce,d1,4f,00,00,00,00,00,00,\.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{c3a95711-ed4a-4fd3-b676-0c36cb4806c0}]@Denied: (Full) (Everyone)"Model"=dword:00000133"Therad"=dword:0000001d"SpecVersion"=dword:00000147"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26, 38,95,44,88,79,0d,22,8e,33,17,75,f1,ba,a7,8a,bd,54,2a,a9,3e,32,3f,e3,fc,c7,\.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(604)c:\windows\system32\Ati2evxx.dll.- - - - - - - > 'explorer.exe'(3384)c:\program files\Internet Download Manager\IDMShellExt.dllc:\program files\Internet Download Manager\IDMNetMon.DLLc:\progra~1\WINDOW~2\wmpband.dllc:\windows\system32\ieframe.dllc:\windows\system32\OneX.DLLc:\windows\system32\eappprxy.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.Completion time: 2013-08-20 15:55:13ComboFix-quarantined-files.txt 2013-08-20 10:25.Pre-Run: 6,471,831,552 bytes freePost-Run: 6,451,032,064 bytes free.- - End Of File - - A64E817164C43BDA33BA789F87BE46A88F558EB6672622401DA993E1E865C861 Link to post Share on other sites More sharing options...
Recommended Posts