[sssrgg]

I ran into a serious problem. I suspect a scanner-killer malaware is intruded in my computer.

The advanced system care 3 closed automatically when it tried to run Security Analyzer. AVG and secunia psi detected nothing. All other scanners crashed before it completed job, I tried with rootkit revealer, driver scanner, hijack this, security 360, spybot s&d, spywareblashter, malawarebyte's anti-malaware, registry cleaner etc. etc. Once they are crashed, I can not even re-run them unless I uninstall, run ccleaner and reinstall. But then, again it crashes in the middle and it displays "either filepath or registry is missing" kind of message.

The HijackThis displayed "An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=system.ini, sSectopm=boot,sValue=Shell)
Error #5 - Invalid procedure call or argument" message before crashing. I could not even run / install HijackThis second time.

The problem started this morning after I decided to respond to a message to update adobe flash player HD plugin for firefox 3.5.3. This downloaded an updating file which uninstalled the existing adobe flash player plugin.

After sometime, I noticed high bandwidth consumption of the internet traffic. I plugged off the internet. Then I figured out heavy cpu power consumption, which was from an unknown a.exe and b.exe programs. I turned them off from taskmanager but they reloaded soon. Both these files were in Temporary folder. I also found a huge file named a.dat which was created just a few minutes ago. I deleted them manually to get rid of automatic re-loading and resources consumption. Few minutes later, the CPU was again charged heavily, but this time, msa.exe was the cuplrit which was loading from C:\WINDOWS folder. I killed this file too.

To make sure, my registry and security were not breached, I then ran the Advanced System Care 3 (FREE), which crashed immediately. I then started to discover that all kind of scanning softwares crash before doing their job once they try to access security settings.

I would appreciate if anyone could confirm, this is not a new problem, and show me there is a way to solve this problem. Thank you so much.

System : Windows XP SP3, (NT 5.01.2600)
Let me know what additional information may be helpful for you to understand this problem. You may email me at sssrgg at gmail dot com.

[emeraldnzl]

Hello sssrgg,

See if you can run this:

Please download Win32kDiag.exe to your Desktop.

Double-click to run it.

A log should appear when it is finished.

Copy and paste back here.

[sssrgg]

Hello emeraldnzl, Thank you for taking interest on my problem. I have run the win32kdiag.exe in safemode and going to paste the logfile below. A friend of mine suggested me to try running those scanning softwares in safe mode. I followed his suggestion and tried advanced system care 3, hijack this, malaware byte etc. But that did not make any difference. All programs crashed similar to previous trials in normal mode. --------------------------------------- Running from: M:\WUTempSecurity\Win32kDiag.exe Log file at : C:\Documents and Settings\Roshan\デスクトップ\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$regcmp$\$regcmp$ Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP197.tmp\ZAP197.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP27A.tmp\ZAP27A.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A5.tmp\ZAP2A5.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B1.tmp\ZAP2B1.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP375.tmp\ZAP375.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBB.tmp\ZAPBB.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Debug\Setup\Backup\Backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Downloaded Program Files\Downloaded Program Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\I386\WIN9XMIG\MSNEXPLR\MSNEXPLR Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\ 3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA14010000ABE7000000000020\ 7.0.0\7.0.0 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\833B33D2B1AEAE43DBF7BB5D49780EA3\ 3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\A1ADB58DE38916C3F8305E9F3C4970C5\ 2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\ 1.0.0\1.0.0 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\ 2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Minidump\Minidump Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\mui\mui Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Config\Cache\Cache Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PIF\PIF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\security\logs\logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\eventlog.dll [1] 2008-02-12 16:05:26 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation) [1] 2008-02-12 16:05:26 61952 C:\WINDOWS\system32\eventlog.dll () [2] 2008-02-12 16:05:26 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_0de56c07\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_0de56c07 Mount point destination : \Device\__max++>\^ Finished!

[emeraldnzl]

Hello sssrgg,

Quote:

A friend of mine suggested me to try running those scanning softwares in safe mode.

That might work if program conflict was causing the problem; it would make no difference with the infection your machine has.

Please carry out the following things in normal mode.

Now

Make sure the win32kdiag.exe file is on your desktop.

Click on Start > Run (Vista Orb), and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Next

Download Combofix from either of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2




--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt for review.

[sssrgg]

Hello emeraldnzl, Thank you for further instruction. I am going to follow your suggestion with the Combofix. Meanwhile, I figured out that this infection is very dangerous and powerful. It must be new one which is able to lock many anti-virus/anti-spyware programs. It hits them at their first execution. Then neither the anti-virus/anti-spyware program runs nor can be deleted easily. I figured out that the spybot & destroy's executable file could not be deleted and would not run even after re-installation. I needed to use cygwin bash command to delete the locked file before being able to re-install. Same is the story of hijack this. I am still unable to uninstall avg 8,5. It has also locked malaware removal tool of Microsoft, and I can not run that either. I figured out that there is a script trying to run in my computer when I click on any link. To get to proper site, I have to manually type the web address on the title bar. Otherwise, my clicks are diverted to some strange websites.The noscript plugin is asking permission for "google.com...e.net", (notice e.net added after three dots to mislead). If I give permission, it then opens different sites diverted from the intended ones, but the proper site is blocked. Here is the win32kdia. log file, which was obtained in the normal mode run. ------------------------------------------ Running from: M:\WUTempSecurity\Win32kDiag.exe Log file at : C:\Documents and Settings\Roshan\デスクトップ\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$regcmp$\$regcmp$ Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP197.tmp\ZAP197.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP27A.tmp\ZAP27A.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A5.tmp\ZAP2A5.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B1.tmp\ZAP2B1.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP375.tmp\ZAP375.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBB.tmp\ZAPBB.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Debug\Setup\Backup\Backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Downloaded Program Files\Downloaded Program Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\I386\WIN9XMIG\MSNEXPLR\MSNEXPLR Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\ 3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA14010000ABE7000000000020\ 7.0.0\7.0.0 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\833B33D2B1AEAE43DBF7BB5D49780EA3\ 3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\A1ADB58DE38916C3F8305E9F3C4970C5\ 2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\ 1.0.0\1.0.0 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\ 2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Minidump\Minidump Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\mui\mui Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Config\Cache\Cache Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PIF\PIF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\security\logs\logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\eventlog.dll [1] 2008-02-12 16:05:26 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation) [1] 2008-02-12 16:05:26 61952 C:\WINDOWS\system32\eventlog.dll () [2] 2008-02-12 16:05:26 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) Cannot access: C:\WINDOWS\system32\MRT.exe [1] 2009-08-28 17:38:20 24689600 C:\WINDOWS\system32\MRT.exe () Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_0de56c07\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_0de56c07 Mount point destination : \Device\__max++>\^ Finished! -----------------------------

[emeraldnzl]

Quote:

Meanwhile, I figured out that this infection is very dangerous and powerful. It must be new one which is able to lock many anti-virus/anti-spyware programs.

Yes it is a new one and it not only does what you say but it attacks system files and can render your machine unbootable. In addition it is evolving all the time so we never know exactly what we are dealing with.

Please just do the actions I tell you in the order they are set.

This infection reacts to programs being run and you may change things by doing things in between our fixes.

Also stay off the internet as much as possible until we get your computer clean.

[sssrgg]

Hello emeraldnzl,

I am excited to inform you that your solution tool has successfully cleaned the infection in my computer. I am going to attach a copy of combofix log file.

After cleaning up, I tried running other programs, which were locked after I got infected. The advanced system care 3, spybot & destroy, hijack this, IOBit security 360, registry cleaner, malaware byte, all of these programs now are able to scan the computer and provide their solutions. They were all locked in their first execution when my computer was infected. Since all of these programs do run, I assume that the Combofix has successfully removed the infection.

Advanced system care 3 reported and cleaned more than 2000 registry problems, ccleaner reported more than 150 problems, registry cleaner found additional 400 errors. All these problems must be due to the same infection. I am pretty sure that the computer has no problem before the infection as I usually run computer-cleaning-softwares on regular basis.

I am very thankful to your generous support and a big hug from me for your kindness. Please let me know if you have any further suggestion to get rid of possible future attacks.

Thanks a lot.

[emeraldnzl]

I have taken the liberty of posting this in the forum. Easier to analyse.

ComboFix 09-09-18.02 - Roshan 2009/09/20 22:24.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.932.81.1041.18.1014.530 [GMT -4:00]
Running from: c:\documents and settings\Roshan\ƒfƒXƒNƒgƒbƒv\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1454471165-879983540-682003330-500
c:\windows\Installer\129c6b58.msp
c:\windows\Installer\12aa0130.msp
c:\windows\Installer\12d9455b.msp
c:\windows\Installer\12f60bec.msp
c:\windows\Installer\146a51.msp
c:\windows\Installer\14cb5d.msp
c:\windows\Installer\15730a0.msp
c:\windows\Installer\164f960.msp
c:\windows\Installer\169167.msp
c:\windows\Installer\16b26c.msp
c:\windows\Installer\1855616f.msp
c:\windows\Installer\18556172.msp
c:\windows\Installer\18556175.msp
c:\windows\Installer\1884b1f.msp
c:\windows\Installer\188d570e.msp
c:\windows\Installer\188d5711.msp
c:\windows\Installer\21c274.msp
c:\windows\Installer\245b841f.msp
c:\windows\Installer\2662698.msp
c:\windows\Installer\2ae9cb57.msp
c:\windows\Installer\2b563c06.msp
c:\windows\Installer\2edf0.msp
c:\windows\Installer\30d0d99.msp
c:\windows\Installer\30e90643.msp
c:\windows\Installer\30e90646.msp
c:\windows\Installer\32b07d52.msp
c:\windows\Installer\32c07517.msp
c:\windows\Installer\3d429.msp
c:\windows\Installer\49185f3.msp
c:\windows\Installer\4f7ff59.msp
c:\windows\Installer\51aa1f0.msp
c:\windows\Installer\5c67e2.msp
c:\windows\Installer\6d728.msp
c:\windows\Installer\779e844.msp
c:\windows\Installer\7fdfa.msi
c:\windows\Installer\929ed5.msi
c:\windows\Installer\a457ec1.msp
c:\windows\Installer\f0ab9.msi
c:\windows\Installer\f2dd495.msp
c:\windows\system32\drivers\Sonyhcp.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-20 18:55 . 2009-09-20 21:22 0 ----a-r- c:\windows\win32k.sys
2009-09-20 18:48 . 2009-09-20 18:48 -------- d-----w- c:\documents and settings\Roshan\Application Data\WinPatrol
2009-09-20 18:48 . 2005-03-24 04:09 0 ----a-w- c:\documents and settings\Roshan\Application Data\WinPatrol\Config.sys
2009-09-20 18:48 . 2005-03-24 04:09 0 ----a-w- c:\documents and settings\Roshan\Application Data\WinPatrol\Autoexec.bat
2009-09-18 22:11 . 2009-09-18 22:11 -------- d-----w- c:\documents and settings\Roshan\Application Data\Malwarebytes
2009-09-18 22:11 . 2009-09-18 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-18 21:39 . 2009-09-20 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-18 17:49 . 2009-09-18 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-09-08 23:01 . 2009-06-21 21:43 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-04 20:09 . 2009-09-04 20:09 2989 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-09-01 22:18 . 2009-09-01 22:18 -------- d-----w- c:\documents and settings\Roshan\Application Data\Foxit Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-21 01:52 . 2008-05-27 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-20 15:13 . 2008-12-26 15:58 -------- d-----w- c:\program files\Premium Booster
2009-09-19 12:52 . 2009-04-14 03:21 287630 ----a-w- c:\windows\system32\prfh0411.dat
2009-09-19 12:52 . 2009-04-14 03:21 95142 ----a-w- c:\windows\system32\prfc0411.dat
2009-09-19 12:14 . 2007-09-07 04:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-18 21:35 . 2005-03-24 04:02 -------- d-----w- c:\program files\Sigmatel
2009-09-18 21:32 . 2008-12-26 20:29 -------- d-----w- c:\program files\Realtek
2009-09-18 21:32 . 2008-02-10 17:54 -------- d-----w- c:\program files\Yahoo!
2009-09-18 21:21 . 2009-01-16 12:14 -------- d-----w- c:\documents and settings\Roshan\Application Data\Uniblue
2009-09-18 19:09 . 2007-11-30 16:38 -------- d-----w- c:\program files\Virtual Dimension
2009-09-18 18:09 . 2009-02-04 15:34 -------- d-----w- c:\program files\IObit
2009-09-04 20:19 . 2008-10-12 12:37 1 ----a-w- c:\documents and settings\Roshan\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-09-04 20:08 . 2009-08-01 12:30 515760 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-09-04 20:07 . 2009-08-01 12:30 15341 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-09-04 14:59 . 2008-01-27 22:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-19 12:15 . 2008-08-19 15:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-19 12:15 . 2008-08-19 15:33 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-19 12:15 . 2008-08-19 15:33 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-17 16:42 . 2009-08-17 16:42 -------- d-----w- c:\program files\Secunia
2009-08-14 21:04 . 2009-08-14 21:04 239088 ----a-w- c:\documents and settings\Roshan\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-08-09 09:44 . 2005-05-30 10:52 -------- d-----w- c:\program files\Maruo
2009-08-09 09:06 . 2008-01-17 14:46 -------- d-----w- c:\program files\Java
2009-08-09 09:05 . 2009-08-09 08:56 152576 ----a-w- c:\documents and settings\Roshan\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-09 08:58 . 2008-10-27 17:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-05 08:59 . 2005-03-24 02:52 202752 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-08-02 17:55 . 2005-05-30 11:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-02 16:48 . 2008-03-30 04:01 -------- d-----w- c:\documents and settings\Roshan\Application Data\Apple Computer
2009-08-01 18:19 . 2009-03-05 19:38 -------- d-----w- c:\program files\Everything
2009-08-01 17:56 . 2008-09-25 12:17 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-08-01 13:39 . 2009-08-01 13:36 -------- d-----w- c:\documents and settings\Roshan\Application Data\Auslogics
2009-08-01 13:17 . 2009-08-01 12:53 -------- d-----w- c:\program files\iDailyDiary
2009-08-01 12:45 . 2009-08-01 12:45 -------- d-----w- c:\program files\FreeCommander
2009-08-01 12:30 . 2009-08-01 12:30 -------- d-----w- c:\documents and settings\Roshan\Application Data\AccurateRip
2009-08-01 12:29 . 2009-08-01 12:29 -------- d-----w- c:\program files\Illustrate
2009-08-01 12:26 . 2009-01-30 00:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-31 11:56 . 2009-07-31 04:00 -------- d-----w- c:\program files\ExplorerXP
2009-07-29 04:34 . 2005-03-24 02:53 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:34 . 2005-03-24 02:50 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 19:01 . 2005-03-24 02:49 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 15:49 . 2005-05-20 02:13 112328 ----a-w- c:\documents and settings\Roshan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-14 03:43 . 2005-03-24 02:55 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 16:55 . 2005-03-24 02:53 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:24 . 2005-03-24 02:53 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:24 . 2005-03-24 02:53 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:24 . 2005-03-24 02:53 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:24 . 2005-03-24 02:52 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:24 . 2005-03-24 02:52 714752 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:24 . 2005-03-24 02:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-03-24 02:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2008-01-29 16:42 . 2008-01-29 16:42 28 ----a-w- c:\program files\deviceinfo
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Virtual Dimension"="c:\program files\Virtual Dimension\VirtualDimension.exe" [2005-07-09 446976]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]
"DExposE2"="c:\program files\DExposE2\DExposE2.exe" [2008-05-07 450048]
"Google Update"="c:\documents and settings\Roshan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-08 133104]
"iDailyDiary"="c:\progra~1\iDailyDiary\iDD.exe" [2008-12-12 1730048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-02-12 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"Hotkey"="c:\windows\system32\hkeyman.exe" [2003-03-14 851968]
"NumLockNotif"="c:\program files\Panasonic\numlkntf\Numlkntf.exe" [2004-08-24 131072]
"PRunOnce"="c:\util\prunonce\PRunOnce.exe" [2004-08-06 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"Panasonic HotKey Manager"="c:\program files\Panasonic\HotKey Appendix\HKEYAPP.EXE" [2005-03-18 929792]
"PCinfo"="c:\program files\Panasonic\PCINFO\SetDiag.exe" [2005-03-17 45056]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 59392]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-19 2007832]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-11 68592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
"ctfmon.exe"="ctfmon.exe" - c:\windows\system32\ctfmon.exe [2008-02-12 15360]

c:\documents and settings\Roshan\ƒXƒ^�[ƒg ƒ�ƒjƒ…�[\ƒvƒ�ƒOƒ‰ƒ€\ƒXƒ^�[ƒgƒAƒbƒv\
Maruo.lnk - c:\program files\Maruo\Maruo.exe [2005-5-30 1852912]

c:\documents and settings\All Users\ƒXƒ^�[ƒg ƒ�ƒjƒ…�[\ƒvƒ�ƒOƒ‰ƒ€\ƒXƒ^�[ƒgƒAƒbƒv\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1041-0000-BA7E-000000000002}\SC_Acrobat.exe [2005-5-22 25214]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-3-28 155648]
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2005-5-30 42168]
ƒGƒRƒmƒ~�[ƒ‚�[ƒh�i‚d‚b‚n�j�Ø‚è‘Ö‚¦ƒ†�[ƒeƒBƒŠƒeƒB.lnk - c:\program files\Panasonic\CHGBMODE\ChgBmode.exe [2005-3-28 114688]
ƒIƒvƒeƒBƒJƒ‹ƒfƒBƒXƒNƒhƒ‰ƒCƒu�È“d—̓†�[ƒeƒBƒŠƒeƒB.lnk - c:\program files\Panasonic\OPDOFF\opdoff.exe [2005-3-28 155648]
ƒlƒbƒgƒZƒŒƒNƒ^�[.lnk - c:\program files\Panasonic\NSelect\NSelect.exe [2005-3-24 712704]
ƒzƒC�[ƒ‹ƒpƒbƒhƒ†�[ƒeƒBƒŠƒeƒB.lnk - c:\program files\Panasonic\WheelPad\wheelpad.exe [2005-3-24 335872]
–³�üLAN�Ø‚è‘Ö‚¦ƒ†�[ƒeƒBƒŠƒeƒB.lnk - c:\program files\Panasonic\WLANSW\WLANSW.EXE [2005-3-24 81920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-19 12:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LanchNtf]
2004-08-06 08:26 53248 ----a-w- c:\windows\system32\LanchNtf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^�[ƒg ƒ�ƒjƒ…�[^ƒvƒ�ƒOƒ‰ƒ€^ƒXƒ^�[ƒgƒAƒbƒv^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^�[ƒg ƒ�ƒjƒ…�[^ƒvƒ�ƒOƒ‰ƒ€^ƒXƒ^�[ƒgƒAƒbƒv^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^�[ƒg ƒ�ƒjƒ…�[^ƒvƒ�ƒOƒ‰ƒ€^ƒXƒ^�[ƒgƒAƒbƒv^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^�[ƒg ƒ�ƒjƒ…�[^ƒvƒ�ƒOƒ‰ƒ€^ƒXƒ^�[ƒgƒAƒbƒv^BTTray.lnk]
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^�[ƒg ƒ�ƒjƒ…�[^ƒvƒ�ƒOƒ‰ƒ€^ƒXƒ^�[ƒgƒAƒbƒv^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^�[ƒg ƒ�ƒjƒ…�[^ƒvƒ�ƒOƒ‰ƒ€^ƒXƒ^�[ƒgƒAƒbƒv^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^�[ƒg ƒ�ƒjƒ…�[^ƒvƒ�ƒOƒ‰ƒ€^ƒXƒ^�[ƒgƒAƒbƒv^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Roshan^ƒXƒ^�[ƒg ƒ�ƒjƒ…�[^ƒvƒ�ƒOƒ‰ƒ€^ƒXƒ^�[ƒgƒAƒbƒv^OpenOffice.org 2.3.lnk]
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"btwdins"=2 (0x2)
"avg8emc"=3 (0x3)
"WinDefend"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"ose"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=3 (0x3)
"McDetect.exe"=2 (0x2)
"matlabserver"=2 (0x2)
"LBTServ"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"RDSessMgr"=3 (0x3)
"BthServ"=2 (0x2)
"HidServ"=2 (0x2)
"gusvc"=3 (0x3)
"ERSvc"=3 (0x3)
"Alerter"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\TOOLS\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\Roshan\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Roshan\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\dlbtcoms.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2005/03/28 6:02 10624]
R0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\NaiFsRec.sys [2005/05/20 11:41 4512]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008/08/19 11:33 335240]
R1 chgbmode;Panasonic Charge Mode Changer Driver;c:\program files\Panasonic\CHGBMODE\ChgBmode.sys [2005/03/28 4:19 12800]
R1 MiscOPD;Panasonic Opdoff Utility;c:\program files\Panasonic\OPDOFF\miscOPD.sys [2005/03/28 5:52 6144]
R1 WLANSW;Panasonic PC Wireless LAN Switch Driver;c:\program files\Panasonic\WLANSW\WLANSW.sys [2005/03/24 0:36 7680]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008/08/19 11:33 297752]
R2 brecal;Panasonic Battery Recalibration Driver;c:\program files\Panasonic\BRECAL\Brecal.sys [2005/03/24 0:26 7168]
R2 OPDOFFSV;Panasonic Opdoff Utility;c:\program files\Panasonic\OPDOFF\opdoffsv.exe [2005/03/28 5:52 147456]
R2 pcinfo;Panasonic PC Info. Viewer Driver;c:\program files\Panasonic\PCINFO\PCINFO.sys [2005/03/28 4:22 7168]
R2 SDKEY;Panasonic SD Misc. Function Driver;c:\program files\Panasonic\SDKEY\SDKEY.sys [2005/03/24 0:35 9216]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005/03/23 23:01 32640]
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?]
S3 CP;CP;c:\docume~1\Roshan\LOCALS~1\Temp\CP.exe --> c:\docume~1\Roshan\LOCALS~1\Temp\CP.exe [?]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005/07/24 0:28 24496]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009/06/17 8:20 12648]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [2007/01/15 17:01 185504]
S3 V0250Vfx;V0250Vfx;c:\windows\system32\drivers\V0250Vfx.sys [2007/01/15 17:01 6272]
S3 WFVJXE;WFVJXE;c:\docume~1\Roshan\LOCALS~1\Temp\WFVJXE.exe --> c:\docume~1\Roshan\LOCALS~1\Temp\WFVJXE.exe [?]
S3 XRIKNEJFAUD;XRIKNEJFAUD;c:\docume~1\Roshan\LOCALS~1\Temp\XRIKNEJFAUD.exe --> c:\docume~1\Roshan\LOCALS~1\Temp\XRIKNEJFAUD.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4195690698-3893256219-861067370-1006Core.job
- c:\documents and settings\Roshan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 19:32]

2009-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4195690698-3893256219-861067370-1006UA.job
- c:\documents and settings\Roshan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 19:32]

2009-08-30 c:\windows\Tasks\Updtdb32.job
- c:\rs\RARE_USE\Links\locate32-3.1.8.09210\Updtdb32.exe [2009-03-05 21:19]

2009-09-20 c:\windows\Tasks\User_Feed_Synchronization-{6383BE0E-A18B-44B6-BDC8-70A59B67055C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Adobe PDF ‚Ö‚Ì•ÏŠ·
IE: E&xport to Microsoft Excel
IE: ƒŠƒ“ƒN‚ÌŽQ�Æ�æ‚ð Adobe PDF ‚É•ÏŠ·
IE: ƒŠƒ“ƒN‚ÌŽQ�Æ�æ‚ðŠù‘¶‚Ì PDF ‚É•ÏŠ·
IE: Šù‘¶‚Ì PDF ‚É•ÏŠ·
IE: ‘I‘ð‚µ‚½ƒŠƒ“ƒN‚ð Adobe PDF ‚É•ÏŠ·
IE: ‘I‘ð‚µ‚½ƒŠƒ“ƒN‚ðŠù‘¶‚Ì PDF ‚É•ÏŠ·
IE: ‘I‘ð�€–Ú‚ð Adobe PDF ‚É•ÏŠ·
IE: ‘I‘ð�€–Ú‚ðŠù‘¶‚Ì PDF ‚É•ÏŠ·
FF - ProfilePath - c:\documents and settings\Roshan\Application Data\Mozilla\Firefox\Profiles\2dnbq1sp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\documents and settings\Roshan\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Roshan\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 22:42
Windows 5.1.2600 Service Pack 3, v.5755 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\*�E^\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\*�E^\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\*�E^\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-4195690698-3893256219-861067370-1006\AppEvents\Schemes\Apps\Conf\*�E^\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-4195690698-3893256219-861067370-1006\AppEvents\Schemes\Apps\Conf\*�E^\.default]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*³0�EÝ0�EÍ0�EÈ0\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*³0�EÝ0�EÍ0�EÈ0\CurVer]
@="BDATuner.ƒRƒ“ƒ|�[ƒlƒ“ƒg.1"

[HKEY_LOCAL_MACHINE\software\Classes\Folder\shell\P*a*i*n*t* *S*h*o*p* *P*r*o* *Ö0�E¦0¶0\command]
@="\"c:\\PROGRA~1\\PAINTS~1\\psp.exe\" \"%L\""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Volum eCaches\¢0�E¤0�E¹0È0�E�En0Ð0Ã0¯0¢0Ã0×0 *¤0�E�E¸0]
@="{67cf8cbd-e5c0-44f7-9de5-e1d599d626d8}"
"Description"="‚±‚̃o�[ƒWƒ‡ƒ“‚Ì Windows ‚ðƒAƒ“ƒCƒ“ƒXƒg�[ƒ‹‚µ‚Ä‘O‚̃IƒyƒŒ�[ƒeƒBƒ“ƒO ƒVƒXƒeƒ€‚É–ß‚é�ê�‡‚Í�A‚±‚ê‚ç‚̃tƒ@ƒCƒ‹‚ª•K—v‚Å‚·�B"
"Display"="‘O‚̃IƒyƒŒ�[ƒeƒBƒ“ƒO ƒVƒXƒeƒ€‚̃oƒbƒNƒAƒbƒv ƒtƒ@ƒCƒ‹"
"IconPath"=expand:"%SystemRoot%\\system32\\osuninst.EXE,0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\LanchNtf.dll

- - - - - - - > 'explorer.exe'(3020)
c:\program files\DExposE2\DExposE2Animation.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\dlbtcoms.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\documents and settings\Roshan\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2009-09-21 22:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-21 02:48

Pre-Run: 14,975,049,728 ƒoƒCƒg‚̋󂫗̈æ
Post-Run: 14,831,157,248 ƒoƒCƒg‚̋󂫗̈æ

369 --- E O F --- 2009-09-20 06:13

[emeraldnzl]

Hello sssrgg,

Unless I am mistaken I see two anti-virus programs on your machine. Running two or more real-time anti-virus, anti-spyware and firewall monitors at the same time can cause a conflict. That conflict can result in slow computer performance, error messages, crashes of the programs or other types of failure. You will very likely end up with little or no protection.

Please unistall either of:

McAfee or

AVG

Personally unless it is paid up to date I would remove McAfee.

Quote:

I assume that the Combofix has successfully removed the infection.

No but it has made a start.

Now

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

Driver::
WFVJXE
XRIKNEJFAUD

File::
c:\docume~1\Roshan\LOCALS~1\Temp\WFVJXE.exe
c:\docume~1\Roshan\LOCALS~1\Temp\XRIKNEJFAUD.exe

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.

[sssrgg]

Hello emeraldnzl,

Thank you for the follow up instructions and suggestions. I thought the problem was fixed.

I followed your instructions. It warned me to turn off AVG and McAfee anti-virus services. In first run, I just ignored those warnings. Then, I repeated the process by turning off AVG. Both log files are attached. I was unable to turn off McAfee.

Quote:

I see two anti-virus programs on your machine

In fact, I was unaware that this McAfee problem is still there. A trial version of the McAfee was pre-installed in this computer, which I uninstalled long time ago. After finding that some traces of McAfee was not properly removed, I cleaned them using Hijack This. Now, the windows services (service.msc), msconfig, application list etc. do not show existence of any programs related to McAfee. There is no TrendMicro folders where McAfee files used to seat, but it seems the McAfee virus scan is still enabled in this computer. I would like ask how could I get rid from this unwanted virusscan software.

I found that google chrome is not running now, may be I need to re-install this one.

Thank you,

[emeraldnzl]

Hello sssrgg,

Looks like that attachment got blocked.

Just post them in the forum please, use as many posts as you need to get them up, that's fine.

[emeraldnzl]

Nope I am wrong. They are there.lol.

[emeraldnzl]

Quote:

I found that google chrome is not running now, may be I need to re-install this one.

Do that after we have finished and cleaned away the tools we have been using.

Out of interest: Did you use Malwarebytes before it stoped working. MBAM has been picking up one of the Chrome components as a false positive in the last couple of days.

Quote:

I would like ask how could I get rid from this unwanted virusscan software.

Download the McAffee removal tool from here and save the file to your desktop.

Close all McAfee Application windows you may have open, and double-click on MCPR.exe to start the removal tool.

Note: Windows Vista users will have to right-click on the file and select "Run as Administrator"

After the removal tool finishes, restart your computer.

After the removal tool finishes, you should be prompted to restart your computer.

Once the computer restarts, your McAfee product should be uninstalled.

Now

You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

If you no-longer have Malwarebytes please download from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3.

Go to Kaspersky website and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.

• Read through the requirements and privacy statement and click on Accept button.
• It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Copy and paste that information in your next post.

So when you return please post

• MBAM log
• Kaspersky scan results
• and tell me how your computer is performing now

Note: Unless otherwise instructed always post the logs in the forum. If reports don't fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine.

[sssrgg]

Hello emeraldnzl, Thank you for suggestions and instructions. I liked the MCPR, which removed long standing McAfee successfully, although it required 4 runs before complete-cleaning. Then I ran MBAM exactly as you suggested. I have pasted MBAM-log below. Currently Kaspersky online scanner is running. I will post the logfile once it completes. --------------------- Malwarebytes' Anti-Malware 1.41 Database version: 2842 Windows 5.1.2600 Service Pack 3, v.5755 2009/09/22 11:16:07 mbam-log-2009-09-22 (11-16-07).txt Scan type: Full Scan (C:\|) Objects scanned: 294682 Time elapsed: 1 hour(s), 48 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully. ---------------------------------

[sssrgg]

Hello emeraldnzl,

The Kaspersky online scanner completed its job. I did not find any threats. That is very good news. Here is the log file
---------------------
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 22, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3, v.5755 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, September 22, 2009 15:16:05
Records in database: 2869160
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Objects scanned: 184113
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 05:12:29

No threats found. Scanned area is clean.

Selected area has been scanned.

---------------------------------