Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't delete Systran registry entry


  • This topic is locked This topic is locked
8 replies to this topic

#1 rollobot

rollobot

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 04 September 2011 - 11:05 PM

Malwarebytes discovered a bunch of "stolen data" trojans on my pc and removed them. I ran HijackThis after their removal, which found the following in the registry:

HKEY_USERS\S-1-5-21-1757981266-1123561945-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\Open and Translate in Word

I've tried everything to remove this key, including changing the permissions, but it refuses to budge.

I'm running Windows XP Pro SP3 on an AMD 1.36 GHz CPU with 500 MB RAM (I'm way behind the times, I know.). Even though IE6 is listed in the log, I don't use it. Firefox is my browser of choice.

Many thanks for your help!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
Run by Robert at 13:46:02 on 2011-09-05
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.479.220 [GMT 10:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: FortKnox Personal Firewall *Enabled*
FW: Sunbelt Kerio Personal Firewall *Enabled*
FW: Jetico Personal Firewall *Enabled*
FW: Sunbelt Personal Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Memory Improve Master\MemoryImproveMaster.exe
C:\WINDOWS\System32\hffsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyServer = socks=
uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Memory Improve Master] c:\program files\memory improve master\MemoryImproveMaster.exe /autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [Ashampoo FireWall] "c:\program files\ashampoo\ashampoo firewall\FireWall.exe" -TRAY
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: Open and Translate in Word - c:\program files\systran\5.0\premium\IEShellExt.dll /10
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277898266859
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277898242406
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1B117C82-52DB-4C7A-9DB1-261EE82886DA} : DhcpNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\robert\application data\mozilla\firefox\profiles\mf01qvc5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2465030&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/firefox
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\windows\system32\superadblocker.com\npsabffx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
.
---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 50
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: layout.spellcheckDefault - 1
.
============= SERVICES / DRIVERS ===============
.
R0 secdir;Folder Security Personal;c:\windows\system32\secdir.sys [2007-5-30 73216]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-3-28 13496]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-14 11608]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-4-26 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-4-26 72624]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-9-4 18816]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-14 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-14 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-14 66616]
R2 HideFilesAndFolders_S;Hide Files and Folders;c:\windows\system32\hffsrv.exe [2003-9-12 78848]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-10-13 366640]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-2-6 632792]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2009-3-4 2368]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2010-11-28 598856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-13 22712]
S1 FDCENT;FDCENT; [x]
S1 fortknox_drv;fortknox_drv;c:\windows\system32\drivers\fortknoxfw.sys --> c:\windows\system32\drivers\fortknoxfw.sys [?]
S1 SABKUTIL;SABKUTIL; [x]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\shldrv51.sys --> c:\windows\system32\drivers\ShlDrv51.sys [?]
S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 fortknox;FortKnox Personal Firewall; [x]
S2 PavProc;Panda Process Protection Driver; [x]
S2 PavPrSrv;Panda Process Protection Service; [x]
S2 vsmon;TrueVector Internet Monitor; [x]
S3 Bcfilter;Jetico Personal Firewall Network Monitor;c:\windows\system32\drivers\bcfilter.sys --> c:\windows\system32\drivers\bcfilter.sys [?]
S3 BcfilterMP;BcfilterMP;c:\windows\system32\drivers\bcfilter.sys --> c:\windows\system32\drivers\bcfilter.sys [?]
S3 BlackBox;BlackBox SR2; [x]
S3 firewall;firewall; [x]
S3 Lbrpoeregb;Lbrpoeregb; [x]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\12.tmp --> c:\windows\system32\12.tmp [?]
S3 SASENUM;SASENUM; [x]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-05 00:34:11 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-09-05 00:33:24 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-05 00:33:22 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-09-05 00:27:20 852480 -c----w- c:\windows\system32\dllcache\vgx.dll
2011-09-05 00:23:07 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-05 00:22:54 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-09-04 05:41:26 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-09-04 05:12:02 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-04 03:38:23 -------- d-----w- c:\program files\Sophos
2011-09-01 07:25:20 -------- d-----w- c:\program files\mp3DirectCut
2011-08-19 08:52:55 -------- d-----w- c:\program files\All Sound Recorder Vista
2011-08-14 07:10:41 -------- d-----w- c:\documents and settings\all users\application data\AVCWare
2011-08-14 06:49:23 -------- d-----w- c:\documents and settings\robert\local settings\application data\Tipard Studio
.
==================== Find3M ====================
.
2011-08-14 22:11:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-14 16:02:36 87608 ----a-w- c:\documents and settings\robert\application data\inst.exe
2011-08-14 16:02:36 47360 ----a-w- c:\documents and settings\robert\application data\pcouffin.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 09:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 09:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-04 01:35:10 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18:34 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18:34 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18:34 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58:45 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2010-12-24 03:18:46 2670592 ----a-w- c:\program files\VirtualDub.exe
2010-12-24 03:18:18 69632 ----a-w- c:\program files\auxsetup.exe
2010-12-24 03:18:16 8704 ----a-w- c:\program files\vdub.exe
2010-12-24 03:18:16 73728 ----a-w- c:\program files\vdremote.dll
2010-12-24 03:18:16 69632 ----a-w- c:\program files\vdicmdrv.dll
2010-12-24 03:17:50 65536 ----a-w- c:\program files\vdsvrlnk.dll
2008-09-21 10:37:16 389632 ----a-w- c:\program files\flvtoavi.exe
2008-09-21 08:32:26 2409984 ----a-w- c:\program files\ffmpeg_x264.exe
2008-09-21 08:20:10 2374656 ----a-w- c:\program files\ffmpeg.exe
2006-10-11 23:03:18 8838336 ----a-w- c:\program files\Ashampoo Burning Studio 2007.exe
2000-04-16 07:52:00 134656 ----a-w- c:\program files\remove.exe
.
============= FINISH: 13:48:15.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:39 PM

Posted 05 September 2011 - 03:11 PM

Good evening. :)

1) Right-click My Computer.
2) Click Manage.
3) Click on the plus sign "+" next to Services and Applications in the left-hand pane.
4) Click Services.
5) Locate the service called Windows Management Instrumentation in the right hand pane, you may need to drag the divider next to Description at the top to better see the various entries, right-click it and choose Stop.
6) Open My Computer or Windows Explorer and navigate to the C:\Windows\System32\WBEM folder.
7) Right-click on the Repository folder and click Delete to remove it
8) Return to the Windows services screen using steps 1 - 4 shown above.
9) Locate the service Windows Management Instrumentation, right-click on it, and choose Start - restarting this service will rebuild the repository folder information.
10) Restart your computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run MBAM and select the Logs Tab. Each log has the time and date attached to it - let me have the one that identified the nasties that you are referring to.

So long, and thanks for all the fish.

 

 


#3 rollobot

rollobot
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 05 September 2011 - 10:24 PM

Good evening to you too and thanks for your help.

I ran ComboFix, but the reg entry is still there. Here is the log, and the MBAM log is attached.

ComboFix 11-09-05.05 - Robert 06/09/2011 12:35:04.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.479.256 [GMT 10:00]
Running from: c:\documents and settings\Robert\Desktop\Repair.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: FortKnox Personal Firewall *Disabled* {11F7D93C-3185-4875-AAD2-7960F8B8063F}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Robert\Application Data\dldsetup.exe
c:\documents and settings\Robert\Application Data\FFSJ
c:\documents and settings\Robert\Application Data\FFSJ\FFSJ.cfg
c:\documents and settings\Robert\Application Data\inst.exe
c:\documents and settings\Robert\Application Data\pcouffin.sys
c:\documents and settings\Robert\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Robert\Local Settings\Application Data\ApplicationHistory\D2P.exe.c603fa1.ini
c:\documents and settings\Robert\Local Settings\Application Data\ApplicationHistory\DownloadWunder.exe.e84f64ab.ini
c:\documents and settings\Robert\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Robert\Local Settings\Application Data\ApplicationHistory\SL2.tmp.4445d30.ini
c:\documents and settings\Robert\Local Settings\Application Data\ApplicationHistory\SL56F.tmp.11b762e3.ini
c:\documents and settings\Robert\Local Settings\Application Data\ApplicationHistory\SL5A1.tmp.bb3c0d43.ini
c:\documents and settings\Robert\Local Settings\Application Data\ApplicationHistory\SL5E5.tmp.239f0e43.ini
c:\documents and settings\Robert\Local Settings\Application Data\ApplicationHistory\SL86.tmp.59028652.ini
c:\documents and settings\Robert\My Documents\~WRL0002.tmp
c:\documents and settings\Robert\My Documents\~WRL0003.tmp
c:\documents and settings\Robert\My Documents\~WRL1156.tmp
c:\documents and settings\Robert\My Documents\~WRL1659.tmp
c:\documents and settings\Robert\My Documents\~WRL2218.tmp
c:\documents and settings\Robert\My Documents\~WRL3377.tmp
c:\documents and settings\Robert\My Documents\2012.txt
c:\documents and settings\Robert\WINDOWS
c:\program files\Internet Explorer\SET52.tmp
c:\program files\Internet Explorer\SET57.tmp
c:\program files\Internet Explorer\SET6A.tmp
c:\program files\Internet Explorer\SET6F.tmp
c:\windows\BackUp
c:\windows\BackUp\S\50722000.DAT
.
.
((((((((((((((((((((((((( Files Created from 2011-08-06 to 2011-09-06 )))))))))))))))))))))))))))))))
.
.
2011-09-06 01:53 . 2011-09-06 01:53 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-05 00:34 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-09-05 00:33 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-05 00:33 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-09-05 00:27 . 2011-04-29 19:07 852480 -c----w- c:\windows\system32\dllcache\vgx.dll
2011-09-05 00:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-05 00:22 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-09-04 05:41 . 2011-05-12 04:05 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-09-04 05:12 . 2011-09-04 05:11 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-04 05:00 . 2011-09-05 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-09-04 03:38 . 2011-09-04 03:38 -------- d-----w- c:\program files\Sophos
2011-09-01 07:25 . 2011-09-01 07:36 -------- d-----w- c:\program files\mp3DirectCut
2011-08-19 08:52 . 2011-08-19 08:53 -------- d-----w- c:\program files\All Sound Recorder Vista
2011-08-14 07:10 . 2011-08-14 07:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVCWare
2011-08-14 06:49 . 2011-08-14 06:49 -------- d-----w- c:\documents and settings\Robert\Local Settings\Application Data\Tipard Studio
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-14 22:11 . 2011-05-15 00:28 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2002-08-29 01:59 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-23 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 09:52 . 2009-10-13 00:59 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 09:52 . 2009-10-13 00:59 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-04 01:35 . 2010-12-14 01:44 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-04 01:35 . 2010-12-14 01:44 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-24 14:10 . 2004-09-12 00:45 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18 . 2010-06-30 12:41 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18 . 2006-06-23 01:33 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2001-08-23 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58 . 2004-08-04 05:59 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2002-08-29 03:41 293376 ----a-w- c:\windows\system32\winsrv.dll
2010-12-24 03:18 . 2010-01-24 05:58 2670592 ----a-w- c:\program files\VirtualDub.exe
2010-12-24 03:18 . 2010-01-24 05:58 69632 ----a-w- c:\program files\auxsetup.exe
2010-12-24 03:18 . 2010-01-24 05:58 8704 ----a-w- c:\program files\vdub.exe
2010-12-24 03:18 . 2010-01-24 05:58 73728 ----a-w- c:\program files\vdremote.dll
2010-12-24 03:18 . 2010-01-24 05:58 69632 ----a-w- c:\program files\vdicmdrv.dll
2010-12-24 03:17 . 2010-01-24 05:58 65536 ----a-w- c:\program files\vdsvrlnk.dll
2008-09-21 10:37 . 2011-03-18 01:46 389632 ----a-w- c:\program files\flvtoavi.exe
2008-09-21 08:32 . 2011-03-18 01:46 2409984 ----a-w- c:\program files\ffmpeg_x264.exe
2008-09-21 08:20 . 2011-03-18 01:46 2374656 ----a-w- c:\program files\ffmpeg.exe
2006-10-11 23:03 . 2007-02-24 13:40 8838336 ----a-w- c:\program files\Ashampoo Burning Studio 2007.exe
2000-04-16 07:52 . 2004-09-12 07:45 134656 ----a-w- c:\program files\remove.exe
2011-05-06 09:49 . 2011-05-06 09:49 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2004-05-07 05:31 . 2008-04-18 13:16 348160 ----a-w- c:\program files\mozilla firefox\components\MSVCR71.DLL
2006-11-07 02:58 . 2008-06-08 06:18 139264 ----a-w- c:\program files\mozilla firefox\components\SABFF20.DLL
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Memory Improve Master"="c:\program files\Memory Improve Master\MemoryImproveMaster.exe" [2009-03-16 5095424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"Ashampoo FireWall"="c:\program files\Ashampoo\Ashampoo FireWall\FireWall.exe" [2007-04-05 3251800]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCENT.SYS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HideFilesAndFolders_S]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Index Washer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperAdBlocker
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 02:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-07-06 09:52 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-08-04 14:13 282624 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 secdir;Folder Security Personal;c:\windows\system32\secdir.sys [30/05/2007 7:39 PM 73216]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [28/03/2011 4:44 PM 13496]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26/04/2007 10:21 AM 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26/04/2007 10:21 AM 72624]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [4/09/2011 3:41 PM 18816]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [14/12/2010 11:44 AM 136360]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [13/10/2009 10:59 AM 366640]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [6/02/2011 11:47 PM 632792]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [4/03/2009 1:27 AM 2368]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [28/11/2010 4:32 PM 598856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [13/10/2009 10:59 AM 22712]
S1 FDCENT;FDCENT; [x]
S1 fortknox_drv;fortknox_drv;c:\windows\system32\drivers\fortknoxfw.sys --> c:\windows\system32\drivers\fortknoxfw.sys [?]
S1 SABKUTIL;SABKUTIL; [x]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\Drivers\ShlDrv51.sys --> c:\windows\system32\Drivers\ShlDrv51.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S2 fortknox;FortKnox Personal Firewall; [x]
S2 HideFilesAndFolders_S;Hide Files and Folders;c:\windows\system32\hffsrv.exe [12/09/2003 6:57 PM 78848]
S2 PavProc;Panda Process Protection Driver; [x]
S3 Bcfilter;Jetico Personal Firewall Network Monitor;c:\windows\system32\DRIVERS\bcfilter.sys --> c:\windows\system32\DRIVERS\bcfilter.sys [?]
S3 BcfilterMP;BcfilterMP;c:\windows\system32\DRIVERS\bcfilter.sys --> c:\windows\system32\DRIVERS\bcfilter.sys [?]
S3 BlackBox;BlackBox SR2; [x]
S3 firewall;firewall; [x]
S3 Lbrpoeregb;Lbrpoeregb; [x]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\12.tmp --> c:\windows\system32\12.tmp [?]
S3 SASENUM;SASENUM; [x]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-05 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2011-02-06 06:05]
.
2011-09-06 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2011-02-06 01:26]
.
2011-09-06 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-28 07:19]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = socks=
uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
IE: Open and Translate in Word - c:\program files\SYSTRAN\5.0\Premium\IEShellExt.dll /10
LSP: c:\program files\Ashampoo\Ashampoo FireWall\spi.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\mf01qvc5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2465030&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/firefox
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 50
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: layout.spellcheckDefault - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-06 12:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\system32\Flocker.USR 444 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\Robert\LOCALS~1\Temp\ASFWHide"
.
[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\12.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B7C188CC-C656-22D1-E21234AD513F53A3}\{781F7726-F470-BDBE-E3632254F9ABE08C}\{D5A0EB3A-C033-B7E9-DCA15AB75FD5AB8C}*]
"GG2KGGPNIIGO4BVBD4BQHYVQFA1"=hex:01,00,01,00,00,00,00,00,e0,92,fd,62,05,19,43,
a9,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
@DACL=(02 0000)
"Status"=dword:00000000
"RsopStatus"=dword:00000000
"LastPolicyTime"=dword:00ca4f90
"PrevSlowLink"=dword:00000000
"PrevRsopLogging"=dword:00000001
"ForceRefreshFG"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"Status"=dword:00000000
"RsopStatus"=dword:80070032
"LastPolicyTime"=dword:00ca4f90
"PrevSlowLink"=dword:00000000
"PrevRsopLogging"=dword:00000001
"ForceRefreshFG"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"=expand:"iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=expand:"iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
Completion time: 2011-09-06 13:00:15
ComboFix-quarantined-files.txt 2011-09-06 03:00
.
Pre-Run: 41,192,013,824 bytes free
Post-Run: 41,137,803,264 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - 067DDE4E038B79D018E2FED364758627

Attached Files


Edited by rollobot, 05 September 2011 - 10:26 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:39 PM

Posted 06 September 2011 - 02:31 PM

Good evening. :)

Can you post the HijackThis log that shows the registry key in question.

So long, and thanks for all the fish.

 

 


#5 rollobot

rollobot
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 06 September 2011 - 06:00 PM

Here you go.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:59:50 AM, on 7/09/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Memory Improve Master\MemoryImproveMaster.exe
C:\WINDOWS\System32\hffsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Documents and Settings\Robert\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [Memory Improve Master] C:\Program Files\Memory Improve Master\MemoryImproveMaster.exe /autorun
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open and Translate in Word - res://C:\Program Files\SYSTRAN\5.0\Premium\IEShellExt.dll /10
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277898266859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277898242406
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Hide Files and Folders (HideFilesAndFolders_S) - Unknown owner - C:\WINDOWS\System32\hffsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - (no file)
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 6566 bytes

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:39 PM

Posted 08 September 2011 - 02:47 PM

Good evening. :)

Appologies for the delay in replying - my Desktop OS decided to sick itself and i'm in the middle of a reinstall. I'm not going to have time this evening to look at your problem, but I will do so mtomorrow and get back to you shortly thereafter.

So long, and thanks for all the fish.

 

 


#7 rollobot

rollobot
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 08 September 2011 - 07:43 PM

That's okay, not a problem. Computers have a nasty habit of demanding your attention when you have other things planned.

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:39 PM

Posted 10 September 2011 - 02:50 PM

Good evening. :)

I ran HijackThis after their removal, which found the following in the registry:

HKEY_USERS\S-1-5-21-1757981266-1123561945-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\Open and Translate in Word

Unless my eyes are getting really bad, I don't see any reference to that in the HJT log you posted.

So long, and thanks for all the fish.

 

 


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:39 PM

Posted 15 September 2011 - 03:30 PM

Helpers are limited in the number of logs they can take by the time they have available and having threads sit idle means that somebody else who could be being helped has to wait.
Given that there has been no response for five days, and I have no way of knowing when there will be one, this thread is now closed.

When you are able to free up some time to work on your PC problem, feel free to start a fresh thread and somebody will be along as soon as to help.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users