Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple symptoms of malware/spyware


  • This topic is locked This topic is locked
37 replies to this topic

#1 rendezvou

rendezvou

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 08 July 2011 - 01:22 AM

Hi,

I am starting this thread as advised by a BC advisor who was trying to help me.

http://www.bleepingcomputer.com/forums/topic406670.html


My machine has the following symptoms which hint at a malware attack somewhere deep inside.

1) Whenever my machine is started I get alerts for

antivirus, firewall automatic updates disabled (on the taskbar) -- this quickly changes to
antivirus and firewall disabled (one less this time)

2) Security center would show antivirus definition not found

If the history of how it started happening is of any significance here it is - I have had an attack of XP Home Security which I found to be a dangerous malware. However I tried cleaning it up on my own (of course with help of internet search) and thought I got rid of it. However it doesn't look like that it is true.




3) Malwarebytes ran and found issues which it quarantined. However I am not convinced that it has been able to fully clean up the system.

4) Super antispyware found a trojan generic which was cleaned it claimed.

5) However my Super antispyware could not be updated as it popped a warning that the firewall is blocking the program.

6) My resident Sophos antivirus console is all grayed out and it won't update. Reintallation was tried but it didn't help. during re-installation I got a registry error- screenshot attached.[attachment=101898:Taskbar 2.jpg]

Please help!!

DDS log and DDS attach log are attached. Cannot run GMER, every time I get the "Stop (blue screen) error"

Also attached are registry values in case those are messed up by the malware.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:55 PM

Posted 23 July 2011 - 02:21 PM

Hi,

Please do the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 rendezvou

rendezvou
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 23 July 2011 - 09:44 PM

Thanks for your reply.

Attached the log and the .dat file.


aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software
Run date: 2011-07-23 19:23:53
-----------------------------
19:23:53.906 OS Version: Windows 5.1.2600 Service Pack 2
19:23:53.906 Number of processors: 2 586 0x1706
19:23:53.906 ComputerName: RANITBANERJEE UserName:
19:23:57.078 Initialize success
19:24:23.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
19:24:23.000 Disk 0 Vendor: ST910082 3.CM Size: 95396MB BusType: 3
19:24:23.015 Disk 0 MBR read successfully
19:24:23.031 Disk 0 MBR scan
19:24:23.031 Disk 0 Windows XP default MBR code
19:24:23.031 Disk 0 scanning sectors +195365520
19:24:23.109 Disk 0 scanning C:\WINDOWS\system32\drivers
19:24:29.312 Service scanning
19:24:30.781 Modules scanning
19:24:41.234 Disk 0 trace - called modules:
19:24:41.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
19:24:41.250 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b405608]
19:24:41.250 3 CLASSPNP.SYS[ba0e905b] -> nt!IofCallDriver -> \Device\00000093[0x8b4079e0]
19:24:41.250 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8b34d030]
19:24:41.265 Scan finished successfully
19:25:49.890 Disk 0 MBR has been saved successfully to "C:\Program Files\Mozilla Firefox\MBR.dat"
19:25:49.890 The log file has been saved successfully to "C:\Program Files\Mozilla Firefox\aswMBR.txt"

Edited by rendezvou, 23 July 2011 - 09:45 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:55 PM

Posted 23 July 2011 - 09:50 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 rendezvou

rendezvou
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 27 July 2011 - 01:23 PM

Hi,

Combofix installed windows recovery console and completed its run. However the run ended saying preparing log but the log never came up.

I had to go look for it in the combofix folder created in C:

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:55 PM

Posted 27 July 2011 - 04:33 PM

Hi

Please do the following:


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 rendezvou

rendezvou
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 29 July 2011 - 02:47 AM

Malwarebytes produced a clean log. ESET log is given below. However the resident Sophos antivirus is still grayed out.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7313

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

7/28/2011 9:16:52 PM
mbam-log-2011-07-28 (21-16-52).txt

Scan type: Quick scan
Objects scanned: 192268
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

************************************************************************

ESET scan found some threats and quarantined them

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\InternetSpeedMonitor.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\Guest\Local Settings\Application Data\Mozilla\Firefox\Profiles\vmr9pnuj.default\Cache\6\48\F5116d01 JS/Kryptik.AY trojan cleaned by deleting - quarantined
C:\Documents and Settings\Guest\Local Settings\Application Data\Mozilla\Firefox\Profiles\vmr9pnuj.default\Cache\B\95\FAE74d01 JS/Kryptik.AY trojan cleaned by deleting - quarantined
C:\Documents and Settings\ranit_banerjee\Application Data\Sun\Java\Deployment\cache\6.0\53\620059f5-1e0bda52 a variant of Win32/Injector.GJY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP12\A0006500.exe a variant of Win32/Injector.GJY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP56\A0016604.exe a variant of Win32/Kryptik.PNM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP56\A0016605.exe a variant of Win32/Kryptik.PKN trojan cleaned by deleting - quarantined
C:\tools\WinCvs 1.3\Macros\ExamDiff.exe a variant of Win32/Packed.PECrypt32.A application cleaned by deleting - quarantined

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:55 PM

Posted 29 July 2011 - 07:01 AM

Have you tried uninstalling Sophos completely and re-installing it?

use the AppRemover to do so:


Download AppRemover from here saving it to your desktop.
  • Double click to run AppRemover
  • Follow the prompts to remove Sophos
  • Reboot

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 rendezvou

rendezvou
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 31 July 2011 - 03:29 PM

The App Remover page is rendering a 404 error.

#10 rendezvou

rendezvou
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 31 July 2011 - 03:30 PM

I have tried uninstalling Sophos from Program files and reinstalling it but it didn't help.
Do you think I should try that again?

#11 rendezvou

rendezvou
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 31 July 2011 - 04:31 PM

I am not able to uninstall it unsuccessfully.
I think the registry keys are corrupted

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:55 PM

Posted 31 July 2011 - 05:51 PM

This link should be working for appremover.

http://www.appremover.com

Try Revo Uninstaller if AppRemover doesn't work


Download and install the Revo Uninstaller
  • Double click the new Revo Uninstaller icon on your desktop to start the program
  • Scroll through the listed programs and Right Click on the program you wish to uninstall (Sophos)
  • From the pop out menu choose Uninstall
  • Click Yes to the confirmation dialogue
  • In the next window select the Advanced mode
  • Click Next to start uninstalling the program
  • Answer Yes to confirm the uninstall
  • When the program has completed the four steps, click Next to allow the program to search for leftovers
  • Once complete, click Next, then Finish


if neither work - run this on that registry key:

Please download GrantPerms.zip and save it to your desktop.
Unzip the file and run GrantPerms.exe.
Copy and paste the following in the edit box:

HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\SophosAntiVirus

Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Edited by CatByte, 31 July 2011 - 05:52 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 rendezvou

rendezvou
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 01 August 2011 - 01:01 AM

I was successful in uninstalling Sophos using Appremover this time.
However it didn't re-instal properly. The file extraction ended saying some of the files could not be created.

Here'e the Perms.txt log

GrantPerms by Farbar
Ran by ranit_banerjee at 2011-07-31 22:59:43

===============================================
ERROR: Parsing the SD of <HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\SophosAntiVirus> failed with: The system cannot find the path specified.


Operating system error message: The system cannot find the path specified.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:55 PM

Posted 01 August 2011 - 06:16 AM

Please try that again with parenthesis around the key name

"HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\SophosAntiVirus"


as I'm sure that key will exist for you.


there are probably left over registry items that are lock down for some reason, so it is not extracting properly,

try using the Revo Uninstaller to uninstall, that should remove the registry entries as well


If that still doesn't work

download and run ComboFix again, I'll see if it shows up in comboFix, I can likely remove it from there

Link 1

Edited by CatByte, 01 August 2011 - 06:18 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 rendezvou

rendezvou
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 01 August 2011 - 11:03 AM

I tried with both parenthesis and without.
I am getting a syntax error on Grantperms when checking perms with the key parenthesis. with parenthesis I am getting the same error- path cannot be found.
I checked the registry key manually - it seems the key is really missing. I cannot upload any more attachments as I have used up the quota.

Installed Revo Uninstaller pro - however it couldn't find Sophos or its traces.
Btw,I noticed that the registry key in question is the same key which was giving me trouble when I first posted. Please check the screenshot there as well.

New Combofix log is provided below- the log didn't pop up automatically again as reported earlier.

********************************************************************************************************

ComboFix 11-07-31.04 - ranit_banerjee 08/01/2011 8:06:31.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.1958 [GMT -7:00]
Running from: C:\Documents and Settings\ranit_banerjee\Desktop\ComboFix.exe


((((((((((((((((((((((((( Files Created from 2011-07-01 to 2011-08-01 )))))))))))))))))))))))))))))))


2011-08-01 15:01:16 . 2011-08-01 15:01:16 -------- d-----w- C:\Documents and Settings\ranit_banerjee\Local Settings\Application Data\VS Revo Group
2011-08-01 15:01:12 . 2011-08-01 15:01:12 -------- d-----w- C:\WINDOWS\LastGood
2011-08-01 15:01:08 . 2009-12-30 18:20:56 27064 ----a-w- C:\WINDOWS\system32\drivers\revoflt.sys
2011-08-01 15:01:07 . 2011-08-01 15:01:07 -------- d-----w- C:\Program Files\VS Revo Group
2011-08-01 05:45:11 . 2011-08-01 06:20:38 -------- d-----w- C:\Program Files\Sophos
2011-08-01 03:50:54 . 2011-08-01 03:50:54 -------- d-----w- C:\Sophos76
2011-07-29 04:19:58 . 2011-07-29 04:19:58 -------- d-----w- C:\Program Files\ESET
2011-07-22 19:17:16 . 2011-07-22 19:17:16 -------- d-----w- C:\Program Files\Conduit
2011-07-22 19:17:13 . 2011-07-28 19:18:41 -------- d-----w- C:\Documents and Settings\ranit_banerjee\Local Settings\Application Data\FreeOnlineRadioPlayerRecorder
2011-07-22 19:17:05 . 2011-07-22 19:17:16 -------- d-----w- C:\Documents and Settings\ranit_banerjee\Local Settings\Application Data\Conduit
2011-07-22 19:17:05 . 2011-07-22 19:17:05 -------- d-----w- C:\Program Files\FreeOnlineRadioPlayerRecorder
2011-07-22 19:17:02 . 2011-07-22 19:23:10 -------- d-----w- C:\Documents and Settings\ranit_banerjee\Application Data\Cool Record Edit Pro
2011-07-22 19:16:51 . 2005-05-18 18:52:40 1212416 ----a-w- C:\WINDOWS\system32\NCTAudioInformation2.dll
2011-07-22 19:16:51 . 2005-05-17 19:37:44 1986560 ----a-w- C:\WINDOWS\system32\NCTAudioFile2.dll
2011-07-22 19:16:51 . 2005-04-25 20:01:38 458752 ----a-w- C:\WINDOWS\system32\NCTAudioRecord2.dll
2011-07-22 19:16:51 . 2005-04-25 20:01:12 458752 ----a-w- C:\WINDOWS\system32\NCTAudioPlayer2.dll
2011-07-22 19:16:51 . 2005-04-15 19:08:02 880640 ----a-w- C:\WINDOWS\system32\NCTAudioEditor2.dll
2011-07-22 19:16:51 . 2005-04-05 00:21:32 602112 ----a-w- C:\WINDOWS\system32\NCTAudioTransform2.dll
2011-07-22 19:16:51 . 2005-03-28 22:54:42 479232 ----a-w- C:\WINDOWS\system32\NCTAudioVisualization2.dll
2011-07-22 19:16:51 . 2005-03-28 22:52:12 417792 ----a-w- C:\WINDOWS\system32\NCTTextToAudio2.dll
2011-07-22 19:16:51 . 2005-02-24 18:51:38 348160 ----a-w- C:\WINDOWS\system32\NCTWMAFile2.dll
2011-07-22 19:16:51 . 2004-11-04 20:31:22 835584 ----a-w- C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
2011-07-22 19:16:51 . 2002-01-05 23:37:00 344064 ----a-w- C:\WINDOWS\system32\msvcr70.dll
2011-07-22 19:16:50 . 2011-07-22 19:16:52 -------- d-----w- C:\Program Files\Cool Record Edit Pro
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-07-07 02:52:42 . 2009-01-28 17:52:09 22712 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2011-07-07 02:52:42 . 2009-01-28 17:52:07 41272 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011-06-27 04:55:27 . 2011-06-27 04:55:27 388096 ----a-r- C:\Documents and Settings\ranit_banerjee\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-16 03:34:37 . 2011-06-08 14:44:25 404640 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2011-05-04 11:52:22 . 2010-07-09 20:54:17 472808 ----a-w- C:\WINDOWS\system32\deployJava1.dll
2011-05-04 09:25:49 . 2010-07-07 22:06:05 73728 ----a-w- C:\WINDOWS\system32\javacpl.cpl
2009-02-19 21:04:36 . 2009-02-19 21:04:36 27976 ----a-w- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2009-02-19 21:04:36 . 2009-02-19 21:04:36 126360 ----a-w- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
2008-08-17 01:42:36 . 2008-08-17 01:42:36 13112 ----a-w- C:\Program Files\mozilla firefox\plugins\cgpcfg.dll
2008-08-17 01:42:02 . 2008-08-17 01:42:02 70456 ----a-w- C:\Program Files\mozilla firefox\plugins\CgpCore.dll
2008-08-17 01:42:12 . 2008-08-17 01:42:12 91448 ----a-w- C:\Program Files\mozilla firefox\plugins\confmgr.dll
2008-08-17 01:42:08 . 2008-08-17 01:42:08 20800 ----a-w- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
2008-08-17 01:43:00 . 2008-08-17 01:43:00 206136 ----a-w- C:\Program Files\mozilla firefox\plugins\ctxmui.dll
2008-08-17 01:42:10 . 2008-08-17 01:42:10 31032 ----a-w- C:\Program Files\mozilla firefox\plugins\icafile.dll
2008-08-17 01:42:32 . 2008-08-17 01:42:32 40248 ----a-w- C:\Program Files\mozilla firefox\plugins\icalogon.dll
2009-02-19 21:04:39 . 2009-02-19 21:04:40 98712 ----a-w- C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
2008-05-21 16:41:08 . 2008-05-21 16:41:08 479232 ----a-w- C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 16:41:08 . 2008-05-21 16:41:08 548864 ----a-w- C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 16:41:08 . 2008-05-21 16:41:08 626688 ----a-w- C:\Program Files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 21:58:54 . 2008-06-05 21:58:54 648504 ----a-w- C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-17 01:42:04 . 2008-08-17 01:42:04 23864 ----a-w- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
2011-06-22 18:13:12 . 2011-04-12 03:43:29 142296 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((( SnapShot@2011-07-27_15.51.20 )))))))))))))))))))))))))))))))))))))))))

+ 2011-08-01 14:47:46 . 2011-08-01 14:47:46 16384 C:\WINDOWS\Temp\Perflib_Perfdata_6a0.dat
+ 2011-08-01 14:47:46 . 2011-08-01 14:47:46 16384 C:\WINDOWS\Temp\Perflib_Perfdata_534.dat
+ 2007-09-06 11:47:23 . 2011-07-30 19:57:48 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-06 11:47:23 . 2011-07-24 21:53:43 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-09-06 11:47:23 . 2011-07-30 19:57:48 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-09-06 11:47:23 . 2011-07-24 21:53:43 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-09-06 11:47:23 . 2011-07-30 19:57:48 32768 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-09-06 11:47:23 . 2011-07-24 21:53:43 32768 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{f999a48b-1950-4d81-9971-79018f807b4b}"= "C:\Program Files\FreeOnlineRadioPlayerRecorder\prxtbFree.dll" [2011-01-17 23:54:02 175912]

[HKEY_CLASSES_ROOT\clsid\{f999a48b-1950-4d81-9971-79018f807b4b}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{f999a48b-1950-4d81-9971-79018f807b4b}"= "C:\Program Files\FreeOnlineRadioPlayerRecorder\prxtbFree.dll" [2011-01-17 23:54:02 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "C:\Program Files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 23:54:02 175912]

[HKEY_CLASSES_ROOT\clsid\{f999a48b-1950-4d81-9971-79018f807b4b}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F999A48B-1950-4D81-9971-79018F807B4B}"= "C:\Program Files\FreeOnlineRadioPlayerRecorder\prxtbFree.dll" [2011-01-17 23:54:02 175912]

[HKEY_CLASSES_ROOT\clsid\{f999a48b-1950-4d81-9971-79018f807b4b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Software"="C:\Program Files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 09:57:42 1025320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-17 15:53:00 8433664]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2010-05-08 21:13:45 202256]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 19:59:52 254696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 17:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 22:56:38 352256 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-15 05:17:12 89600 ----a-w- C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMeEurr]
qoMeEurr.dll [BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=C:\WINDOWS\pss\AutoUpdate Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Citrix XenApp.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Citrix XenApp.lnk
backup=C:\WINDOWS\pss\Citrix XenApp.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=C:\WINDOWS\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
2007-07-05 21:58:40 413696 ----a-w- C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
2007-07-05 21:51:48 126976 ----a-w- C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 06:16:38 39792 ----a-w- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
2007-06-17 16:16:00 208896 ----a-w- C:\PROGRA~1\ThinkPad\UTILIT~1\BATLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2010-12-03 12:39:04 50592 ----a-w- C:\Documents and Settings\ranit_banerjee\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00:00 15360 ----a-w- C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellNSCST_GRNCH]
2006-05-08 18:16:14 278528 ------w- C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2006-05-18 23:24:06 196696 ----a-w- C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2006-02-02 12:20:00 122940 ----a-w- C:\WINDOWS\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2007-03-28 17:32:00 243248 ----a-w- C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-01-03 18:08:06 133104 ----atw- C:\Documents and Settings\ranit_banerjee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22:02 3739648 ----a-w- C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 23:50:42 221184 ----a-w- C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 23:50:18 81920 ----a-w- C:\Program Files\Common Files\Installshield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kopajevalu]
C:\WINDOWS\system32\lopibeki.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2007-03-22 17:02:00 120368 ----a-w- C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 17:17:48 5252408 ----a-w- C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-05-17 15:53:00 8433664 ----a-w- C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-05-17 15:53:00 81920 ----a-w- C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-05-17 15:53:00 1626112 ----a-w- C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
2007-06-17 16:16:00 200704 ----a-w- C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonicWALLNetExtender]
2008-04-08 22:40:54 562608 ----a-w- C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2007-04-04 03:55:08 839680 ------w- C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-04-10 00:23:56 1015808 ----a-w- C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 19:59:52 254696 ----a-w- C:\Program Files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2008-12-04 21:50:00 1809648 ----a-w- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-02-14 05:16:28 512000 ----a-w- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2006-02-14 05:17:28 110592 ----a-w- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-08 21:13:45 202256 ----a-w- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
2007-03-30 01:40:48 181808 ----a-w- C:\WINDOWS\system32\TpShocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2008-03-04 17:34:20 487424 ----a-w- C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Documents and Settings\\ranit_banerjee\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"C:\\Documents and Settings\\ranit_banerjee\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\tools\\eclipse\\eclipse.exe"=
"C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\tools\\jdk1.5.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_21\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"C:\\Documents and Settings\\ranit_banerjee\\Application Data\\mjusbsp\\magicJack.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\drivers\ApsHM86.sys [3/2/2007 5:47:00 PM 19760]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv.sys [12/4/2008 2:50:04 PM 8944]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 2:50:02 PM 55024]
R2 OracleServiceCALYPSO;OracleServiceCALYPSO;c:\tools\oracle\11gr1\bin\ORACLE.EXE CALYPSO --> c:\tools\oracle\11gr1\bin\ORACLE.EXE CALYPSO [?]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/14/2007 10:10:02 PM 11152]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 1:11:32 PM 569344]
R3 SSLDrv;SSL-VPN NetExtender Adapter;C:\WINDOWS\system32\drivers\SSLDrv.sys [8/28/2006 4:13:30 PM 20504]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\drivers\tvti2c.sys [9/13/2006 12:42:44 PM 35264]
S2 OracleDBConsoleCALYPSO;OracleDBConsoleCALYPSO;C:\tools\oracle\11gR1\BIN\nmesrvc.exe [5/15/2008 2:21:05 PM 25600]
S2 OracleJobSchedulerCALYPSO;OracleJobSchedulerCALYPSO;c:\tools\oracle\11gr1\Bin\extjob.exe CALYPSO --> c:\tools\oracle\11gr1\Bin\extjob.exe CALYPSO [?]
S2 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;c:\tools\oracle\11gR1\BIN\TNSLSNR --> c:\tools\oracle\11gR1\BIN\TNSLSNR [?]
S2 SYBSQL_LOCALHOST;Sybase SQLServer _ LOCALHOST;C:\tools\sybase15\ASE-15_0\bin\sqlsrvr.exe -sLOCALHOST -C --> C:\tools\sybase15\ASE-15_0\bin\sqlsrvr.exe -sLOCALHOST -C [?]
S3 LenovoRd;LenovoRd;C:\WINDOWS\system32\drivers\LenovoRd.sys [8/12/2007 12:53:07 AM 81280]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49:20 AM 227232]
S3 Revoflt;Revoflt;C:\WINDOWS\system32\drivers\revoflt.sys [8/1/2011 8:01:08 AM 27064]
S3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 2:50:06 PM 7408]
S3 SybaseUAService;Sybase Unified Agent;C:\tools\sybase15\UAF-2_0\utility\ntautostart\release\uaservice.exe [9/5/2007 3:23:41 PM 49152]
S3 SYBBCK_LOCALHOST_BS;Sybase BCKServer _ LOCALHOST_BS;C:\tools\sybase15\ASE-15_0\bin\bcksrvr.exe -SLOCALHOST_BS -R --> C:\tools\sybase15\ASE-15_0\bin\bcksrvr.exe -SLOCALHOST_BS -R [?]
S3 SYBXPS_LOCALHOST_XP;Sybase XPServer _ LOCALHOST_XP;C:\tools\sybase15\ASE-15_0\bin\xpserver.exe -SLOCALHOST_XP -C --> C:\tools\sybase15\ASE-15_0\bin\xpserver.exe -SLOCALHOST_XP -C [?]

Contents of the 'Scheduled Tasks' folder

2011-08-01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54:46 . 2007-02-12 22:54:46]

2011-07-31 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-257438896-4239395036-1050642295-1031Core.job
- C:\Documents and Settings\ranit_banerjee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-03 18:08:08 . 2009-01-03 18:08:06]

2011-08-01 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-257438896-4239395036-1050642295-1031UA.job
- C:\Documents and Settings\ranit_banerjee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-03 18:08:08 . 2009-01-03 18:08:06]

2009-02-09 C:\WINDOWS\Tasks\PMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-08-12 08:12:15 . 2007-06-17 16:16:00]

2011-08-01 C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-257438896-4239395036-1050642295-1031.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09:42 . 2010-02-25 05:09:42]

2011-07-30 C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-257438896-4239395036-1050642295-1031.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09:42 . 2010-02-25 05:09:42]




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users