Jump to content

Suspicious behavior Rogue Programs


Guest name cool
 Share

Recommended Posts

Guest name cool

I have many problems. And probably has not detected this infection.

They are as follows "Windows is unable to restart / shutdown.

And tried it to delete some programs but could not be removed, however it turned out 'it is that not clean programs, and

Edited by name cool
Link to post
Share on other sites

Guest name cool

ComboFix 11-03-10.03 - BTC User 03/11/2011 16:57:12.28.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.252 [GMT 3:00]

Running from: c:\documents and settings\BTC User\Desktop\ComboFix.exe

AV: Kaspersky Internet Security *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

.

----- BITS: Possible infected sites -----

.

hxxp://dl-us-w1.rockmelt.com

.

((((((((((((((((((((((((( Files Created from 2011-02-11 to 2011-03-11 )))))))))))))))))))))))))))))))

.

.

2011-03-10 15:17 . 2011-03-10 15:17 -------- d-----w- c:\documents and settings\BTC User\Application Data\Wieldraaijer

2011-03-10 13:53 . 2011-03-10 13:53 -------- d-----w- c:\documents and settings\BTC User\Local Settings\Application Data\RockMelt

2011-03-09 20:15 . 2011-03-09 20:24 -------- d-----w- c:\program files\ToolKitService

2011-03-09 06:38 . 2011-03-09 06:39 -------- d-----w- C:\Hotspot Shield

2011-03-09 06:38 . 2010-11-04 18:43 506880 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll

2011-03-09 06:38 . 2011-03-09 06:39 -------- d-----w- c:\program files\Hotspot Shield

2011-03-07 19:23 . 2011-03-07 19:23 -------- d-----w- c:\documents and settings\BTC User\Local Settings\Application Data\Lunarsoft

2011-03-07 19:23 . 2011-03-07 19:23 -------- d-----w- c:\program files\Lunarsoft

2011-03-06 14:22 . 2011-03-06 14:22 -------- d-----w- c:\program files\Common Files\xing shared

2011-03-06 12:43 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2011-03-06 12:43 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-03-06 12:42 . 2009-02-17 19:09 114688 ----a-w- c:\windows\system32\ChgService.exe

2011-03-06 12:42 . 2008-11-12 03:51 103424 ----a-w- c:\windows\system32\drivers\cmnsusbser.sys

2011-03-06 12:42 . 2008-10-31 18:00 103424 ----a-w- c:\windows\system32\MyDIT_GenClassCoInst.dll

2011-03-06 12:42 . 2011-03-06 12:42 -------- d-----w- c:\program files\Mobily

2011-03-05 08:43 . 2011-03-05 08:43 3584 ----a-r- c:\documents and settings\BTC User\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe

2011-03-05 08:43 . 2011-03-05 08:43 -------- d-----w- c:\program files\Windows Installer Clean Up

2011-03-05 08:43 . 2011-03-05 08:43 -------- d-----w- c:\program files\MSECACHE

2011-03-04 12:39 . 2011-03-04 12:39 -------- d-----w- c:\program files\Quick ShutDown

2011-03-04 07:21 . 2011-02-28 15:11 109240 ----a-w- c:\program files\Mozilla Firefox\extensions\KavAntiBanner@Kaspersky.ru\components\abhelperxpcom.dll

2011-03-04 07:20 . 2011-02-28 15:11 146104 ----a-w- c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll

2011-03-04 07:20 . 2011-03-04 07:39 115267 ----a-w- c:\windows\system32\drivers\klin.dat

2011-03-04 07:20 . 2011-03-04 07:39 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2011-03-04 07:16 . 2011-03-04 07:16 -------- d-----w- c:\program files\Kaspersky Lab

2011-03-04 07:16 . 2011-03-11 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2011-03-04 07:05 . 2011-03-04 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2011-03-03 14:24 . 2011-03-03 14:26 -------- d-----w- C:\Lop SD

2011-03-03 14:09 . 2011-03-03 14:09 -------- d-----w- c:\documents and settings\BTC User\Application Data\SurfSecret Privacy Suite

2011-03-03 14:09 . 2011-03-03 14:09 -------- d-----w- c:\documents and settings\BTC User\Application Data\Panda Security

2011-03-03 14:07 . 2011-03-03 14:18 -------- d-----w- c:\program files\Panda Security

2011-03-03 14:07 . 2011-03-03 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security

2011-03-03 13:23 . 2011-03-03 13:23 -------- d-----w- c:\program files\SpyZooka

2011-02-28 15:11 . 2011-02-28 15:11 228024 ----a-w- c:\windows\system32\klogon.dll

2011-02-27 14:39 . 2011-02-27 14:39 -------- d-----w- c:\documents and settings\BTC User\Application Data\IObit

2011-02-26 11:26 . 2011-02-26 11:26 2345656 ----a-w- C:\kavremover.exe

2011-02-22 14:19 . 2011-02-22 14:19 -------- d-----w- c:\program files\Conduit

2011-02-22 14:19 . 2011-02-22 14:19 -------- d-----w- c:\documents and settings\BTC User\Local Settings\Application Data\PageRage

2011-02-22 14:19 . 2011-02-22 14:19 -------- d-----w- c:\documents and settings\BTC User\Local Settings\Application Data\Conduit

2011-02-22 14:18 . 2011-02-23 04:21 -------- d-----w- c:\program files\PageRage

2011-02-21 20:49 . 2011-02-22 05:41 -------- d-----w- c:\documents and settings\BTC User\Local Settings\Application Data\AskToolbar

2011-02-21 20:49 . 2011-02-22 05:42 -------- d-----w- c:\program files\Ask.com

2011-02-21 08:50 . 2011-02-21 08:50 -------- d-----w- c:\documents and settings\All Users\Application Data\WCLD8Kw

2011-02-21 08:49 . 2011-02-21 08:50 -------- d-----w- c:\program files\PC Guard for Win32 V5 DEMO

2011-02-19 16:55 . 2011-02-19 16:55 -------- d-----w- c:\program files\Common Files\Java

2011-02-19 10:38 . 2011-02-19 10:38 -------- d-----w- c:\program files\Common Files\DivX Shared

2011-02-19 10:30 . 2011-02-19 10:40 -------- d-----w- c:\program files\DivX

2011-02-19 10:29 . 2011-02-19 10:40 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2011-02-16 16:15 . 2011-02-17 17:47 -------- d-----w- c:\documents and settings\BTC User\Local Settings\Application Data\FlickrNet

2011-02-16 16:14 . 2011-02-16 16:15 -------- d-----w- c:\documents and settings\BTC User\Local Settings\Application Data\Plusimage

2011-02-16 16:13 . 2011-02-16 16:14 -------- d-----w- c:\program files\Plus! Image

2011-02-16 13:37 . 2011-02-16 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spotmau

2011-02-16 13:37 . 2011-02-16 13:37 -------- d-----w- c:\documents and settings\BTC User\Application Data\spotmau

2011-02-16 13:36 . 2011-02-16 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\pc health check

2011-02-16 13:36 . 2011-02-17 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp360

2011-02-16 13:36 . 2011-02-17 10:36 -------- d-----w- c:\program files\TuneUp360

2011-02-16 11:54 . 2011-02-16 11:54 -------- d-----w- c:\program files\Quick Web Player

2011-02-15 13:32 . 2011-02-02 18:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2011-02-15 09:21 . 2011-02-15 09:21 11352 ----a-w- c:\windows\system32\drivers\kl2.sys

2011-02-15 09:21 . 2011-02-15 09:21 133720 ----a-w- c:\windows\system32\drivers\kl1.sys

2011-02-14 15:29 . 2011-02-14 15:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2011-02-14 15:24 . 2011-03-10 13:53 -------- d-----w- c:\documents and settings\BTC User\Local Settings\Application Data\Temp

2011-02-14 15:24 . 2011-02-14 15:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2011-02-14 15:24 . 2011-02-14 15:24 -------- d-----w- c:\program files\Google

2011-02-14 15:24 . 2011-02-14 15:24 -------- d-----w- c:\documents and settings\BTC User\Local Settings\Application Data\Google

2011-02-14 14:17 . 2011-02-14 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!

2011-02-14 14:16 . 2011-02-14 14:16 -------- d-----w- c:\program files\Yuna Software

2011-02-14 14:08 . 2011-02-17 07:54 -------- d-----w- c:\documents and settings\BTC User\Local Settings\Application Data\Axialis

2011-02-12 19:33 . 2011-03-06 14:23 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll

2011-02-12 19:33 . 2011-03-06 14:22 150712 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll

2011-02-12 19:33 . 2011-03-06 14:21 100864 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll

2011-02-12 19:32 . 2011-03-06 14:21 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-02-12 14:52 . 2011-02-12 14:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ant.com

2011-02-12 14:51 . 2011-02-12 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Ant.com

2011-02-12 14:51 . 2011-02-12 14:51 -------- d-sh--w- c:\documents and settings\Default User\PrivacIE

2011-02-12 14:38 . 2011-02-12 14:38 -------- d-----w- c:\program files\MSXML 4.0

2011-02-12 14:13 . 2011-03-09 06:13 -------- d--h--w- c:\windows\$hf_mig$

2011-02-12 08:43 . 2011-02-12 08:43 2329600 ----a-w- c:\windows\system32\TUKernel.exe

2011-02-11 19:46 . 2011-02-11 19:46 -------- d-----w- C:\New Folder

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-09 20:15 . 2011-01-28 12:57 57152 ----a-w- c:\windows\system32\drivers\toolkitdisk.sys

2011-03-06 14:21 . 2010-12-10 08:54 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-09 05:06 . 2011-02-09 05:06 711168 ----a-w- c:\windows\is-4HCFK.exe

2011-02-09 04:42 . 2011-02-09 04:42 737280 ----a-w- c:\windows\iun6002.exe

2011-02-09 04:27 . 2011-02-09 04:27 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys

2011-02-09 04:25 . 2011-02-09 04:25 40960 ----a-r- c:\documents and settings\BTC User\Application Data\Microsoft\Installer\{D652C372-E0A1-456F-80B6-AA3A5183A02C}\NewShortcut1_3F3FBB4316564CE6A509D75C203BC969_2.exe

2011-02-02 18:40 . 2010-10-20 20:30 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-02 16:19 . 2010-10-20 20:30 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-02 07:58 . 2010-10-20 16:28 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2010-10-20 16:28 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-17 20:03 . 2011-01-17 20:42 12952 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys

2011-01-17 20:02 . 2011-01-17 20:42 16024 ----a-w- c:\windows\system32\drivers\pssnap.sys

2011-01-17 20:02 . 2011-01-17 20:42 45208 ----a-w- c:\windows\system32\drivers\psmounter.sys

2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2010-12-14 13:43 . 2010-10-31 20:13 31552 ----a-w- c:\windows\system32\TURegOpt.exe

2010-12-14 13:39 . 2011-01-01 18:05 29504 ----a-w- c:\windows\system32\uxtuneup.dll

.

.

((((((((((((((((((((((((((((( SnapShot_2011-03-05_09.30.23 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-03-11 14:09 . 2011-03-11 14:09 16384 c:\windows\temp\Perflib_Perfdata_1e8.dat

+ 2010-11-07 20:16 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll

- 2010-11-07 20:16 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll

+ 2010-09-22 19:19 . 2010-09-22 19:19 37376 c:\windows\system32\drivers\HssDrv.sys

+ 2011-03-09 20:16 . 2011-03-09 20:18 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2010-10-20 16:37 . 2011-03-09 20:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2010-10-20 16:37 . 2011-02-07 21:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2011-03-09 20:16 . 2011-03-09 20:18 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2011-03-06 14:23 . 2011-03-06 14:23 18944 c:\windows\Installer\a4c86a.msi

+ 2011-03-06 14:21 . 2011-03-06 14:21 92672 c:\windows\Installer\a4c85c.msi

- 2011-02-12 19:33 . 2011-02-12 19:33 5632 c:\windows\system32\pndx5032.dll

+ 2011-02-12 19:33 . 2011-03-06 14:21 5632 c:\windows\system32\pndx5032.dll

- 2011-02-12 19:33 . 2011-02-12 19:33 6656 c:\windows\system32\pndx5016.dll

+ 2011-02-12 19:33 . 2011-03-06 14:21 6656 c:\windows\system32\pndx5016.dll

+ 2011-02-12 19:33 . 2011-03-06 14:22 198848 c:\windows\system32\rmoc3260.dll

- 2011-02-12 19:33 . 2011-02-12 19:33 198848 c:\windows\system32\rmoc3260.dll

- 2011-02-12 19:33 . 2011-02-12 19:33 272896 c:\windows\system32\pncrt.dll

+ 2011-02-12 19:33 . 2011-03-06 14:21 272896 c:\windows\system32\pncrt.dll

+ 2011-02-09 13:53 . 2011-02-09 13:53 270848 c:\windows\system32\dllcache\sbe.dll

+ 2011-01-27 11:57 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe

+ 2011-02-09 13:53 . 2011-02-09 13:53 186880 c:\windows\system32\dllcache\encdec.dll

+ 2011-02-02 07:58 . 2011-02-02 07:58 2067456 c:\windows\system32\dllcache\lhmstscx.dll

+ 2010-10-20 21:34 . 2011-03-09 06:24 37943240 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2011-02-28 200536]

"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-03-06 273544]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"HideFastUserSwitching"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStartMenuMyMusic"= 0 (0x0)

"NoSMMyPictures"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

"{D468BCE5-D18E-49A4-8EA7-34BD583659D5}"= "c:\progra~1\SpyZooka\spyguard.dll" [2005-05-07 173568]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

.

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [1/17/2011 11:42 PM 16024]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2/15/2011 12:21 PM 11352]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 9:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 9:41 PM 67656]

R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [3/6/2011 3:42 PM 114688]

R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [1/17/2011 11:42 PM 220824]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [12/14/2010 4:41 PM 1517376]

R2 UPDATE_SERVICE_ID;Tippers Update Service;c:\program files\Trustier\TrustierUpdateService.exe [11/2/2010 4:21 PM 180064]

R3 dwlkbf;DwlKbf;c:\windows\system32\drivers\dwlkbf.sys [1/17/2011 7:08 AM 3712]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [11/17/2010 1:24 PM 32344]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [10/7/2010 1:34 PM 10064]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/14/2011 6:24 PM 136176]

S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [3/6/2011 3:42 PM 103424]

S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2/9/2011 7:27 AM 23456]

S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [1/17/2011 11:42 PM 45208]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

.

2011-02-09 c:\windows\Tasks\FrontLine Registry Cleaner Scheduled Scan - BTC User.job

- c:\program files\Frontline Registry Cleaner\FrontlineRegistryCleaner.exe [2010-05-11 21:20]

.

2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-14 15:24]

.

2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-14 15:24]

.

2011-03-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1645522239-789336058-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 11:25]

.

2011-03-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1645522239-789336058-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 11:25]

.

2011-02-09 c:\windows\Tasks\RegAce Scheduled Scan - BTC User.job

- c:\program files\RegAce System Suite\RegAce.exe [2010-10-26 18:56]

.

2011-03-11 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

.

2011-02-09 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

.

2011-02-09 c:\windows\Tasks\RegInOut Scheduled Scan - BTC User.job

- c:\program files\RegInOut\RegInOut.exe [2010-08-24 13:31]

.

2011-03-11 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2010-09-28 19:44]

.

2011-03-11 c:\windows\Tasks\SpeedOptimizer Startup.job

- c:\progra~1\speedo~1\SPO.exe [2011-02-09 05:22]

.

2011-03-11 c:\windows\Tasks\User_Feed_Synchronization-{2A1730A9-1199-48E0-8274-67C170504ADD}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.sa/

IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm

FF - ProfilePath - c:\documents and settings\BTC User\Application Data\Mozilla\Firefox\Profiles\3tmzhj1l.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - PageRage Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://search.foxtab.com/?s=0&chnl=irn&cd=2XzutCtN2Y1L1QzutDtDtC0AyBtA0DtA0AtD0ByEtN0C0CzutN0D0TzutBtDtCtCtDtBtCyC&cr=911339592

FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=403&q=

FF - prefs.js: browser.search.selectedEngine - Web Search (eToolKit)

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{D3B22A92-87A2-47B6-B3E6-A64877B5C242} - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-11 17:11

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,00,9a,1c,76,90,b4,c5,4c,84,9e,6b,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,00,9a,1c,76,90,b4,c5,4c,84,9e,6b,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="04F0D21-79D8-7A25-D702-433F"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3648)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Hotspot Shield\bin\openvpnas.exe

c:\program files\Hotspot Shield\HssWPR\hsssrv.exe

c:\program files\Hotspot Shield\bin\hsswd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe

c:\windows\system32\wscntfy.exe

c:\program files\Hotspot Shield\bin\openvpntray.exe

c:\program files\TuneUp Utilities 2011\TuneUpSystemStatusCheck.exe

.

**************************************************************************

.

Completion time: 2011-03-11 17:16:53 - machine was rebooted

ComboFix-quarantined-files.txt 2011-03-11 14:16

ComboFix2.txt 2011-03-08 10:27

ComboFix3.txt 2011-03-05 09:32

ComboFix4.txt 2011-03-03 14:48

ComboFix5.txt 2011-03-11 13:53

.

Pre-Run: 23,026,880,512 bytes free

Post-Run: 23,133,126,656 bytes free

.

- - End Of File - - 3EE8C023316D65A151862FA0EEF06E70

Link to post
Share on other sites

  • Root Admin

Let's start by temporarily removing ALL Anti-Virus and other security software.

Please uninstall the following:

  1. Kaspersky Anti-Virus and Firewall
  2. Tune-Up Utilities
  3. SurfSecret Privacy Suite
  4. Panda Security
  5. SUPERAntiSpyware
  6. Java
  7. Hotspot Shield Monitoring Service
  8. SpyZooka
  9. TrustierUpdateService
  10. Super Ad Blocker
  11. Google Update Service
  12. Google Toolbar
  13. Macrium Reflect (don't worry we'll put stuff back cleanly when done, just make sure you have backup of data)
  14. Real Player
  15. Reg Cure

If any of these items won't uninstall please write them down by name and let me know.

When you're done please restart the computer and run a New DDS scan and post back the new logs.

DO NOT GO SURFING THE WEB as the computer is not fully unprotected and will easily get re-infected.

Link to post
Share on other sites

Guest name cool

I've been remove all them. Which have been identified.

But I could not remove some programs that have not found it in Add / Remove. Or even in the Start menu. And explain more than that. When I select the Start menu to try to remove these programs then I can not find the option to remove it. This applies to all programs in the Start menu, which I cannot find this option to erase them.

And also does not have traces of these programs in the Add / Remove. But these programs work from the desktop, although it's no in Add / Remove.

Topckit_2010

TrackZapper.com

Wise Registry Cleaner Professional

Xvid

?????

AV Mix Master

Evidence-Blaster

FaultWire Manager

Spytech SpyAgent

Softdiv MP3 to WAV Converter

save2pc

Registry First Aid

PC Updater

Panda Cloud Antivirus

Ascentive(Performance Center)

Anti-Spy.Info

Google Update Service

Google Toolbar

TrustierUpdateService

Super Ad Blocker

SurfSecret Privacy Suite

RegCure

DDS (Ver_10-12-12.02) - NTFSx86

Run by BTC User at 14:18:03.35 on Sat 03/12/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.299 [GMT 3:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Trustier\TrustierUpdateService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\BTC User\Desktop\vhfffffh\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.sa/

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mPolicies-explorer: <NO NAME> =

mPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)

mPolicies-explorer: NoSMMyPictures = 0 (0x0)

mPolicies-system: <NO NAME> =

mPolicies-system: HideFastUserSwitching = 0 (0x0)

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\btcuse~1\applic~1\mozilla\firefox\profiles\3tmzhj1l.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - PageRage Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://search.foxtab.com/?s=0&chnl=irn&cd=2XzutCtN2Y1L1QzutDtDtC0AyBtA0DtA0AtD0ByEtN0C0CzutN0D0TzutBtDtCtCtDtBtCyC&cr=911339592

FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=403&q=

FF - prefs.js: browser.search.selectedEngine - Web Search (eToolKit)

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\btc user\application data\mozilla\plugins\np-mswmp.dll

FF - plugin: c:\program files\couponalert_2pei\installr\1.bin\NP2pEISb.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-11-9 54760]

R2 UPDATE_SERVICE_ID;Tippers Update Service;c:\program files\trustier\TrustierUpdateService.exe [2010-11-2 180064]

R3 dwlkbf;DwlKbf;c:\windows\system32\drivers\dwlkbf.sys [2011-1-17 3712]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\superadblocker.com\super ad blocker\sabkutil.sys --> c:\program files\superadblocker.com\super ad blocker\SABKUTIL.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-14 136176]

S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [2011-3-6 103424]

S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2011-2-9 23456]

S4 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2011-3-6 114688]

=============== Created Last 30 ================

2011-03-11 19:13:10 -------- d-----w- c:\docume~1\btcuse~1\applic~1\Identum

2011-03-11 14:55:56 -------- d-----w- c:\program files\Hotspot Shield

2011-03-10 15:17:01 -------- d-----w- c:\docume~1\btcuse~1\applic~1\Wieldraaijer

2011-03-10 13:53:12 -------- d-----w- c:\docume~1\btcuse~1\locals~1\applic~1\RockMelt

2011-03-09 20:15:53 -------- d-----w- c:\program files\ToolKitService

2011-03-09 06:38:52 -------- d-----w- C:\Hotspot Shield

2011-03-06 12:43:03 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2011-03-06 12:43:03 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-03-06 12:42:45 114688 ----a-w- c:\windows\system32\ChgService.exe

2011-03-06 12:42:45 103424 ----a-w- c:\windows\system32\MyDIT_GenClassCoInst.dll

2011-03-06 12:42:45 103424 ----a-w- c:\windows\system32\drivers\cmnsusbser.sys

2011-03-06 12:42:44 -------- d-----w- c:\program files\Mobily

2011-03-05 08:43:33 -------- d-----w- c:\program files\MSECACHE

2011-03-04 12:39:26 -------- d-----w- c:\program files\Quick ShutDown

2011-03-04 07:16:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab

2011-03-03 14:24:24 -------- d-----w- C:\Lop SD

2011-03-03 14:09:52 -------- d-----w- c:\docume~1\btcuse~1\applic~1\SurfSecret Privacy Suite

2011-03-03 14:09:19 -------- d-----w- c:\docume~1\btcuse~1\applic~1\Panda Security

2011-03-03 14:07:48 -------- d-----w- c:\program files\Panda Security

2011-03-03 14:07:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Panda Security

2011-02-27 14:39:10 -------- d-----w- c:\docume~1\btcuse~1\applic~1\IObit

2011-02-26 11:26:51 2345656 ----a-w- C:\kavremover.exe

2011-02-22 14:19:11 -------- d-----w- c:\program files\Conduit

2011-02-22 14:19:10 -------- d-----w- c:\docume~1\btcuse~1\locals~1\applic~1\PageRage

2011-02-22 14:19:08 -------- d-----w- c:\program files\ConduitEngine

2011-02-22 14:19:08 -------- d-----w- c:\docume~1\btcuse~1\locals~1\applic~1\ConduitEngine

2011-02-22 14:19:07 -------- d-----w- c:\docume~1\btcuse~1\locals~1\applic~1\Conduit

2011-02-22 14:18:42 -------- d-----w- c:\program files\PageRage

2011-02-21 20:49:24 -------- d-----w- c:\docume~1\btcuse~1\locals~1\applic~1\AskToolbar

2011-02-21 20:49:10 -------- d-----w- c:\program files\Ask.com

2011-02-21 08:50:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\WCLD8Kw

2011-02-21 08:49:57 -------- d-----w- c:\program files\PC Guard for Win32 V5 DEMO

2011-02-19 10:38:46 -------- d-----w- c:\program files\common files\DivX Shared

2011-02-19 10:30:41 -------- d-----w- c:\program files\DivX

2011-02-19 10:29:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX

2011-02-16 16:15:35 -------- d-----w- c:\docume~1\btcuse~1\locals~1\applic~1\FlickrNet

2011-02-16 16:13:53 -------- d-----w- c:\program files\Plus! Image

2011-02-16 13:37:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spotmau

2011-02-16 13:37:00 -------- d-----w- c:\docume~1\btcuse~1\applic~1\spotmau

2011-02-16 13:36:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\pc health check

2011-02-16 13:36:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\TuneUp360

2011-02-16 13:36:47 -------- d-----w- c:\program files\TuneUp360

2011-02-16 11:54:20 -------- d-----w- c:\program files\Quick Web Player

2011-02-15 13:32:23 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2011-02-14 15:24:40 -------- d-----w- c:\docume~1\btcuse~1\locals~1\applic~1\Temp

2011-02-14 15:24:28 -------- d-----w- c:\docume~1\btcuse~1\locals~1\applic~1\Google

2011-02-14 14:17:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Messenger Plus!

2011-02-14 14:16:48 -------- d-----w- c:\program files\Yuna Software

2011-02-14 14:08:12 -------- d-----w- c:\docume~1\btcuse~1\locals~1\applic~1\Axialis

2011-02-12 14:51:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Ant.com

2011-02-12 14:38:28 -------- d-----w- c:\program files\MSXML 4.0

2011-02-12 14:13:02 -------- d--h--w- c:\windows\$hf_mig$

2011-02-12 08:43:49 2329600 ----a-w- c:\windows\system32\TUKernel.exe

2011-02-11 19:46:52 -------- d-----w- C:\New Folder

==================== Find3M ====================

2011-03-06 14:21:29 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-09 05:06:18 711168 ----a-w- c:\windows\is-4HCFK.exe

2011-02-09 04:42:48 737280 ----a-w- c:\windows\iun6002.exe

2011-02-02 18:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec

============= FINISH: 14:18:58.73 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 10/20/2010 7:35:23 PM

System Uptime: 3/12/2011 2:16:44 PM (0 hours ago)

Motherboard: Hewlett-Packard | | 30D5

Processor: Intel® Celeron® M CPU 440 @ 1.86GHz | U10 | 1861/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 33 GiB total, 22.179 GiB free.

D: is FIXED (NTFS) - 41 GiB total, 32.792 GiB free.

E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP41: 2/9/2011 12:20:12 AM - System Checkpoint

RP42: 2/9/2011 7:12:22 AM - Advanced Registry Optimizer 2010 - Before Installation

RP43: 2/9/2011 7:12:54 AM - ADVANCED REGISTRY OPTIMIZER 2010- FIRST RUN

RP44: 2/9/2011 7:15:10 AM - Advanced Registry Optimizer 2010 Wed, Feb 09, 11 07:15

RP45: 2/9/2011 7:15:34 AM - Advanced Registry Optimizer 2010 - Before Optimize

RP46: 2/9/2011 7:25:41 AM - Installed MultiCycle AV for Windows Demo

RP47: 2/9/2011 7:54:48 AM - Installed PC Registry Cleaner

RP48: 2/9/2011 7:56:35 AM - Installed Pc Optimizer 360 setup

RP49: 2/9/2011 8:21:18 AM - Installed AV Mix Master 3

RP50: 2/9/2011 8:24:41 AM - Installed WOT for Internet Explorer

RP51: 2/9/2011 8:26:12 AM - Installed UpdateStar

RP52: 2/11/2011 1:36:12 AM - System Checkpoint

RP53: 2/12/2011 5:37:03 PM - Software Distribution Service 3.0

RP54: 2/12/2011 7:42:12 PM - Removed SlimCleaner

RP55: 2/12/2011 7:42:21 PM - Installed SlimCleaner

RP56: 2/14/2011 5:11:12 PM - Removed HiYo.

RP57: 2/15/2011 4:31:50 PM - Installed Java 6 Update 23

RP58: 2/17/2011 2:13:28 AM - ComboFix created restore point

RP59: 2/17/2011 1:29:21 PM - Removed Ant.com IE add-on

RP60: 2/17/2011 1:32:10 PM - Removed Cozi

RP61: 2/17/2011 1:34:02 PM - Removed Ask Toolbar.

RP62: 2/17/2011 1:35:29 PM - Removed WinShredder

RP63: 2/17/2011 1:37:50 PM - Removed Super Ad Blocker

RP64: 2/17/2011 1:45:52 PM - Removed PC SpeedScan Pro

RP65: 2/17/2011 1:53:21 PM - Removed SlimCleaner

RP66: 2/19/2011 5:52:12 PM - System Checkpoint

RP67: 2/19/2011 7:54:29 PM - Installed Java 6 Update 24

RP68: 2/21/2011 11:00:22 AM - System Checkpoint

RP69: 2/22/2011 2:09:27 PM - System Checkpoint

RP70: 2/24/2011 11:56:41 PM - Removed Kaspersky Internet Security 2011.

RP71: 2/26/2011 12:35:06 AM - System Checkpoint

RP72: 2/27/2011 1:17:27 PM - System Checkpoint

RP73: 2/28/2011 9:30:23 PM - Software Distribution Service 3.0

RP74: 3/3/2011 4:23:10 PM - Installed SpyZooka

RP75: 3/4/2011 10:16:11 AM - Installed Kaspersky Internet Security 2012 Beta.

RP76: 3/5/2011 11:43:44 AM - Installed Windows Installer Clean Up

RP77: 3/5/2011 12:05:30 PM - Installed Microsoft Fix it 50195

RP78: 3/5/2011 2:57:56 PM - Software Distribution Service 3.0

RP79: 3/7/2011 12:33:21 PM - System Checkpoint

RP80: 3/9/2011 9:24:02 AM - Software Distribution Service 3.0

RP81: 3/10/2011 10:46:57 AM - System Checkpoint

RP82: 3/11/2011 6:47:16 PM - System Checkpoint

RP83: 3/12/2011 1:47:38 PM - Removed TuneUp Utilities 2011

RP84: 3/12/2011 1:48:15 PM - Removed TuneUp Utilities Language Pack (en-US)

RP85: 3/12/2011 1:48:34 PM - Removed Windows Installer Clean Up

RP86: 3/12/2011 1:48:52 PM - Removed SpyZooka

RP87: 3/12/2011 1:52:30 PM - Removed Macrium Reflect - Free Edition

RP88: 3/12/2011 1:53:07 PM - Removed Java 6 Update 22

RP89: 3/12/2011 1:58:30 PM - Removed Kaspersky Internet Security 2012 Beta.

==== Installed Programs ======================

???? ??? Windows Live

???? ??????? ?? Windows Live

???? ??????? Windows Live Upload Tool

???? Windows Live

????? ????? ?????? ??? Windows Live

ACDSee Photo Manager 12

Adobe Flash Player 10 ActiveX

ALTools Update

ALZip

Ask Toolbar

Broadcom 802.11 Wireless LAN Adapter

Capture&Send

CCleaner

Conduit Engine

Conexant HD Audio

DivX Setup

Final Uninstaller

GOM Player

Google Update Helper

HDAUDIO Soft Data Fax Modem with SmartCP

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB954550-v5)

HP Product Detection

Image Resizer Powertoy for Windows XP

iMesh

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections Drivers

Junk Mail filter update

Masterra PostSmile 7.0

Messenger Plus! 5

MessengerDiscovery 2.5.95

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729

Mozilla Firefox (3.6.13)

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

PageRage Toolbar

PC Guard for Win32 V5.06 DEMO

Quick ShutDown

runtime

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Segoe UI

Snagit 10

Spytech SpyAgent

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VC80CRTRedist - 8.0.50727.4053

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Live Communications Platform

Windows Live Essentials

Windows Live Messenger

Windows Live Writer

Windows Media Format 11 runtime

Windows Media Player 11

==== Event Viewer Messages From Past Week ========

3/9/2011 6:48:11 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001A73D3A0B4. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

3/8/2011 12:33:06 PM, error: Dhcp [1002] - The IP address lease 10.85.88.21 for the Network Card with network address 00FFEE4B2CAD has been denied by the DHCP server 10.82.63.254 (The DHCP Server sent a DHCPNACK message).

3/8/2011 12:04:51 PM, error: Dhcp [1002] - The IP address lease 10.85.80.41 for the Network Card with network address 00FFEE4B2CAD has been denied by the DHCP server 10.85.95.254 (The DHCP Server sent a DHCPNACK message).

3/8/2011 11:48:36 AM, error: Dhcp [1002] - The IP address lease 10.85.32.20 for the Network Card with network address 00FFEE4B2CAD has been denied by the DHCP server 10.85.87.254 (The DHCP Server sent a DHCPNACK message).

3/8/2011 1:12:14 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

3/8/2011 1:12:14 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/7/2011 11:35:49 PM, error: Service Control Manager [7034] - The Tippers Update Service service terminated unexpectedly. It has done this 1 time(s).

3/7/2011 11:35:49 PM, error: Service Control Manager [7034] - The Macrium Reflect Image Mounting Service service terminated unexpectedly. It has done this 1 time(s).

3/7/2011 11:35:49 PM, error: Service Control Manager [7034] - The Change Modem Device Service service terminated unexpectedly. It has done this 1 time(s).

3/7/2011 10:20:45 AM, error: Dhcp [1002] - The IP address lease 192.168.1.65 for the Network Card with network address 001A73D3A0B4 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).

3/6/2011 6:32:19 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SABKUTIL

3/6/2011 10:57:01 AM, error: Service Control Manager [7034] - The Hotspot Shield Monitoring Service service terminated unexpectedly. It has done this 1 time(s).

3/6/2011 10:56:55 AM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.

3/6/2011 10:56:45 AM, error: Service Control Manager [7034] - The Hotspot Shield Routing Service service terminated unexpectedly. It has done this 1 time(s).

3/6/2011 10:05:29 AM, error: PSched [14107] - QoS [Adapter {D58D764D-F4EB-404D-9DDB-71913487C3FB}]: The Packet Scheduler could not initialize the virtual miniport with NDIS.

3/6/2011 10:05:29 AM, error: PSched [14107] - QoS [Adapter {2FA42387-CEB0-4BA7-B015-DBC954DDF511}]: The Packet Scheduler could not initialize the virtual miniport with NDIS.

3/5/2011 9:57:26 AM, error: Dhcp [1002] - The IP address lease 10.71.128.17 for the Network Card with network address 00FF29F762D7 has been denied by the DHCP server 10.68.79.254 (The DHCP Server sent a DHCPNACK message).

3/5/2011 9:02:31 AM, error: Dhcp [1002] - The IP address lease 10.41.48.63 for the Network Card with network address 00FF29F762D7 has been denied by the DHCP server 10.71.135.254 (The DHCP Server sent a DHCPNACK message).

3/5/2011 11:04:42 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/5/2011 11:03:47 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

3/5/2011 11:03:23 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec kl2 KLIF MRxSmb NetBIOS NetBT RasAcd Rdbss SABKUTIL SASDIFSV SASKUTIL Tcpip

3/5/2011 11:03:23 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

3/5/2011 11:03:23 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/5/2011 11:03:23 AM, error: Service Control Manager [7001] - The Hotspot Shield Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.

3/5/2011 11:03:23 AM, error: Service Control Manager [7001] - The fssfltr service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/5/2011 11:03:23 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/5/2011 11:03:23 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

3/5/2011 11:02:53 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

3/12/2011 9:15:32 AM, error: Dhcp [1002] - The IP address lease 10.85.72.45 for the Network Card with network address 00FF56E3D2AC has been denied by the DHCP server 10.66.23.254 (The DHCP Server sent a DHCPNACK message).

3/12/2011 1:15:43 PM, error: Dhcp [1002] - The IP address lease 10.66.16.32 for the Network Card with network address 00FF56E3D2AC has been denied by the DHCP server 10.66.87.254 (The DHCP Server sent a DHCPNACK message).

3/11/2011 9:56:09 PM, error: Dhcp [1002] - The IP address lease 10.64.40.34 for the Network Card with network address 00FF56E3D2AC has been denied by the DHCP server 10.85.79.254 (The DHCP Server sent a DHCPNACK message).

3/11/2011 4:22:48 PM, error: System Error [1003] - Error code 10000050, parameter1 fffffff8, parameter2 00000000, parameter3 a79745ec, parameter4 00000000.

3/11/2011 4:10:35 PM, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom0.

==== End Of File ===========================

Link to post
Share on other sites

  • Root Admin

STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from here
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but say NO to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected.

    [*]Click on OK

    [*]Then click on YES to create the folder.

Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 02

Please download and install HijackThis then start HijackThis.

  • On the main menu click on Open the Misc Tools section button.
  • Click on the Open Uninstall Manager button.
  • Scroll through the list and hilite each program that will not remove from the Add/Remove and click the Delete this entry button.
  • Be careful not to remove any valid entries
  • When done go ahead and close the program

STEP 03

Click on START - RUN and type in CMD and click OK

At the DOS prompt type in the following line by line and the press the ENTER key at the end of each line

SC DELETE fssfltr

SC DELETE UPDATE_SERVICE_ID

SC DELETE dwlkbf

SC DELETE SABKUTIL

SC DELETE gupdate

This file here is actually legit if not infected but for now I'd like to remove it. If you need this then you can reinstall it later.

SC DELETE cmnsusbser

SC DELETE "Change Modem Device Service"

Let me know if any give an error on removal

STEP 04

Also just to make sure we're not dealing with Sality please visit this link and download the tool and run it.

Let me know what it finds or does

SalityKiller by Kaspersky

STEP 05

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

Guest name cool

So what's up name cool? Have you run the requested tasks yet?

Please post an update.

yes, do it,but I think he got something here at Step 3, when I use these commands then I've Restart the system and then when start it can not control on mouse pointer and then surprised when press buttons on the keyboard become stuck whole time.

I had to shut down the system from the power button, especially since I am I can not use the mouse or keyboard panel.

update

After the miserable attempts for the recovery of the backup has already destroyed the system.

Link to post
Share on other sites

  • Root Admin

Well then as we've said before. The best thing to do is format the drive and re-install Windows again.

This time though make sure you make good valid backups of the system and the registry at different points in time so that you can easily repair if something does go wrong.

Link to post
Share on other sites

Guest name cool

What about this program or that called the utility, which caused the destruction of the system after an attempt to recover the registry. since it is the first time used.

Link to post
Share on other sites

  • Root Admin

The only utility I can think of that you may be thinking of is ERUNT which is used by MILLIONS of people around the World with no issue. It is recommended and used hundreds of times a day by forums all over. There is nothing wrong with that program, as said - your computer's own registry is screwed up big time and trying to blame other tools or processes won't fix it.

The Windows REGISTRY is made of of millions of keys and controls how Windows functions. If you alter items improperly (evidenced by logs) then Windows is going to have a hard time working.

I'm sorry but it's up to you. You can continue to try and salvage the system and have a crippled system even when you think you're done and spend days or weeks on it, or you can format the drive and re-install Windows. As long as you have the CD, the installation Key and the drivers for your NIC card you can have the system back up and running GOOD in a matter of a couple hours.

Link to post
Share on other sites

Guest name cool

I have a few questions about this utility ..

Perhaps it is a help to make a backup of the registry but enrich us this tool for Windows backup tool. And what the difference between this tool and other tools to back up, if any.

For a system restore point How can I use? And when should I use this restore point note I have not used it yet, even for once.

And for Macrium . Can I install it and retrieve the backup note that he was re-install Windows completely but I wonder if it was possible to restore my files after all these problems?

And also with the new system I am having trouble in navigation and the emergence of semi-blank pages. And the inability to browse lots of sites, however there is suspicious behavior of the rootkit 'and like that.

And thank you for all of this information.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.