Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

registry entry "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DbgagD\1" is locked and is listed as "hidden" in avira


  • This topic is locked This topic is locked
9 replies to this topic

#1 thedarkness

thedarkness

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 14 October 2011 - 08:03 PM

Although this vista 32bit system has been running with no issues, I have been notified of a single hidden file after an avira scan, which is located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DbgagD\1

Its properties cannot be changed, and its key itself cannot be viewed, edited or deleted with my admin account, running regedit "as administrator". I dont know what the entry is used for and if it is safe. When I click on its "1" property, I get "an error is preventing this key being opened:the system cannot find the file specified". I have malwarebytes, spywareblaster and trend micro installed, along with my main comodo firewall, and avira antivirus. They do not conflict. With an updated malwarebytes, and kaspersky tdsskiller, I have had no suspicious files listed after a scan (the latter on its default settings). Only avira shows the registry key as hidden. This is now my second attempt at the Gmer rootkit scanner. The first time it gave me a blue screen with "kxldipoc.sys - page fault in nonpaged area". Perhaps this was due to Defogger not disabling the cd emulation properly-is that likely?

I have browsed the net and found DbgagD listed in the registry on other machines (often with their own virus related issues-not always a good sign), showing as [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\DbgagD\1*] with content similar to "value"="?\06\01\1b\065\"C".
It would seem that Wow6432Node may be used by software to determine what version of windows is being used-could my registry entry be similar, even without "Wow6432Node" in my address? Or could DbgagD be completely unrelated and a generic term for many different entries? I have tried process monitor to try and find out what software uses my own DbgagD entry, but nothing has shown as of yet. This system was last installed with vista last year, and admittedly there is alot of software installed, trial and full, and not everything I have is 100% vista compatible (eg xp era from my old desktop machine), yet everything I have run works without any issues. Aside from this registry key, the only other problem I have is not being able to do an F8 system repair using the boot screen (I tried it once and got a blue screen) but I have been told to only ever use the pc manufacturers restore disc for a full reinstallation of vista. Is it true that sometimes only one option will work? Thanks for any help, the hidden or locked registry entry is what I am mainly concerned about. Here is my DDS log and attachments:-

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Norma at 0:14:22 on 2011-10-15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2039.983 [GMT 1:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: COMODO Defense+ *Enabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Internet\COMODO Internet Security\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Internet\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Internet\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Internet\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Internet\COMODO Internet Security\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Internet\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\Browser Guard\BGUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Trend Micro\Browser Guard\tmiegsrv.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: TMIEGBHO Class: {f1ad4a42-ba52-47bc-89df-3f68f24c017f} - c:\program files\trend micro\browser guard\TMAMS.dll
BHO: Download Accelerator Plus Integration: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\internet\dap\DAPIEL~1.DLL
TB: @c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
TB: TMBGBAR TOOLBAR: {c8137a8d-415d-450c-a1b1-d0c519d45296} - c:\program files\trend micro\browser guard\tmieg.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [CursorFX] "c:\program files\stardock\cursorfx\CursorFX.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [COMODO Internet Security] "c:\program files\internet\comodo internet security\comodo\comodo internet security\cfp.exe" -h
mRun: [avgnt] "c:\program files\internet\avira\antivir desktop\avgnt.exe" /min
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Trend Micro Browser Guard] "c:\program files\trend micro\browser guard\BGUI.EXE"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Clean Traces - c:\program files\internet\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\internet\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\internet\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{75B320FC-AAC1-4603-A1AA-30FAC777BA53} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\internet\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\internet\dap\dapie.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\norma\appdata\roaming\mozilla\firefox\profiles\utekc1lh.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\internet\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\internet\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-18 64288]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2010-6-11 38400]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2010-6-11 35968]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-10 238960]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-10 36568]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\internet\avira\antivir desktop\sched.exe [2010-7-29 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\internet\avira\antivir desktop\avguard.exe [2010-7-29 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-29 66616]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-6-18 21504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-20 136176]
S3 EMSUSB2;EMS USB Joypad2;c:\windows\system32\drivers\Emsusb2.sys [2011-3-4 9728]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-6-11 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-6-11 8456]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-22 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-20 136176]
S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-9-29 38976]
S3 PSSDKLBF;PSSDKLBF;c:\windows\system32\drivers\pssdklbf.sys [2010-9-29 53312]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 tbbLoaderService;tbbLoaderService;c:\program files\internet\tbbmeter\tbbLoaderService.exe [2010-8-13 20536]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-10-13 17:49:54 -------- d-----w- c:\program files\ProcessMonitor
2011-10-12 19:12:20 -------- d-----w- c:\program files\RegmagiK
2011-10-12 18:55:39 -------- d-----w- c:\program files\regscanner
2011-10-12 15:55:13 -------- d-----w- c:\windows\Icons
2011-10-12 15:25:49 -------- d-----w- c:\users\norma\appdata\local\temp
2011-10-12 15:21:59 -------- d-sh--w- C:\$RECYCLE.BIN
2011-10-12 15:04:29 98816 ----a-w- c:\windows\sed.exe
2011-10-12 15:04:29 518144 ----a-w- c:\windows\SWREG.exe
2011-10-12 15:04:29 256000 ----a-w- c:\windows\PEV.exe
2011-10-12 15:04:29 208896 ----a-w- c:\windows\MBR.exe
2011-10-12 10:49:46 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-10-12 10:49:45 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-12 10:49:45 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 10:49:45 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 10:49:44 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 10:49:40 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-12 10:49:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 10:49:35 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-12 10:49:35 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-12 10:49:35 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-11 21:50:53 -------- d-----w- c:\program files\WinASO
2011-10-11 03:17:50 30544 ----a-w- c:\windows\system\DIB.DRV
2011-10-11 03:17:50 21648 ----a-w- c:\windows\system\CTL3DV2.DLL
2011-10-11 03:17:49 -------- d-----w- C:\TOPDRAW
2011-10-10 11:57:12 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-10-08 18:55:14 -------- d-----w- c:\program files\NbuExplorer_v2.3
2011-10-07 20:42:54 -------- d-----w- c:\program files\Wavosaur
2011-10-07 19:54:52 -------- d-----w- c:\program files\mp3DirectCut
2011-10-07 16:12:11 -------- d-----w- c:\program files\RAR Password Recovery Magic
2011-10-05 23:03:41 -------- d-----w- c:\users\norma\appdata\roaming\X-Wave MP3 Cutter Joiner
2011-10-05 23:03:37 -------- d-----w- c:\program files\X-Wave MP3 Cutter Joiner
2011-10-03 23:47:01 -------- d-----w- c:\program files\agv92d
2011-10-03 12:41:15 -------- d-----w- c:\users\norma\appdata\roaming\Meda MP3 Joiner 1.2
2011-10-03 12:41:12 -------- d-----w- c:\program files\Meda MP3 Joiner
2011-10-01 15:06:52 -------- d-----w- c:\programdata\Ableton
2011-10-01 15:06:49 -------- d-----w- c:\users\norma\appdata\roaming\Ableton
2011-10-01 15:04:49 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2011-10-01 15:02:28 -------- d-----w- c:\program files\ALive804
2011-09-27 15:32:42 -------- d-----w- c:\users\norma\appdata\local\Stardock
2011-09-27 15:32:36 -------- dc-h--w- c:\programdata\{E568B6A0-8E02-46C8-8954-00ECD7CD3554}
2011-09-27 15:32:31 -------- d-----w- c:\program files\Stardock
2011-09-25 11:56:13 40960 ----a-r- c:\users\norma\appdata\roaming\microsoft\installer\{9559f7ca-5e34-4237-a2d9-d856464ad727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2011-09-25 11:56:12 40960 ----a-r- c:\users\norma\appdata\roaming\microsoft\installer\{9559f7ca-5e34-4237-a2d9-d856464ad727}\ARPPRODUCTICON.exe
2011-09-24 11:56:05 -------- d-----w- c:\users\norma\.swt
2011-09-24 00:49:39 -------- d-----w- c:\windows\G2Runner
2011-09-22 15:33:20 -------- d-----w- C:\ULTRASND
2011-09-22 14:28:09 -------- d-----w- c:\users\norma\appdata\local\DOSBox
2011-09-22 00:37:47 -------- d-----w- c:\users\norma\D-Fend Reloaded
2011-09-21 22:52:24 -------- d-----w- c:\users\norma\appdata\roaming\CorsixTH
2011-09-21 22:40:42 -------- d-----w- C:\ThemeHospital
2011-09-21 19:04:31 168960 ----a-w- c:\windows\system32\XCDZIP35.OCX
2011-09-21 18:45:41 118832 ----a-w- c:\windows\system32\SHW32.DLL
2011-09-21 18:18:00 -------- d--h--w- c:\windows\PIF
2011-09-21 15:17:59 565760 ----a-r- c:\windows\system32\MSVCP50.DLL
2011-09-21 15:17:59 33792 ----a-r- c:\windows\NPSExec.exe
2011-09-21 14:13:03 442368 ----a-r- c:\windows\system32\vp6vfw.dll
2011-09-19 10:44:54 -------- d-----w- c:\program files\Games Utilities
2011-09-18 18:17:20 -------- d-----w- c:\windows\pss
2011-09-18 13:19:09 -------- d-----w- c:\users\norma\appdata\local\Freelancer
2011-09-16 16:24:52 -------- d-----w- c:\program files\Defraggler
2011-09-16 15:01:33 299520 ----a-w- c:\windows\uninst.exe
2011-09-16 12:10:51 -------- d-----w- c:\users\norma\appdata\local\Spotify
2011-09-16 12:10:47 -------- d-----w- c:\users\norma\appdata\roaming\Spotify
.
==================== Find3M ====================
.
2011-10-05 11:21:36 53312 ----a-w- c:\windows\system32\drivers\pssdklbf.sys
2011-10-05 11:21:35 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys
2011-09-23 10:23:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-01 02:35:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-08-31 16:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 0:16:08.22 ===============

Attached Files


Edited by thedarkness, 14 October 2011 - 08:08 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:14 AM

Posted 14 October 2011 - 08:28 PM

Hi and :welcome:

There is no information as to the source of that entry. We can however make it visible for you.

Lets try Combofix.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 thedarkness

thedarkness
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 15 October 2011 - 10:32 AM

those two links point to two different versions of combofix! I backup my system up, but on the combofix scan it decided to delete my ntfs.sys, and therefore after that booting up and repairing of the system was impossible, only a reinstall, lol. Im still pretty sure the system was not infected, but THANKS anyway :) I advise everyone to make sure their systems are backed up before ever attempting to use combo'fix'. If it thought ntfs.sys was infected, it could have at least given the option to users whether they wanted to remove it or not, for safetys sake (one last login before removal in order to safe their precious files)?

Edited by thedarkness, 15 October 2011 - 10:33 AM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:14 AM

Posted 15 October 2011 - 01:35 PM

That is very odd, as Combofix wont delete a file without backing-up, and dealing with drivers, it will replace the file with a legit copy if found, else it will skip the file. The fact is that you ran Combofix before as signs of its use were in the computer, so chances are you were infected and the infection made your computer unbootable. There was no reason to reinstall as we could have dealt with the issue.

Did you reformat before reinstalling?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 thedarkness

thedarkness
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 15 October 2011 - 04:01 PM

I thought the smiley face at the end of Combofix (telling me it had now deleted the problem) was a sign that the program itself was infected, especially since after that it deleted ntfs.sys making it non bootable. Ive reformatted and reinstalled with everything backed up, although I think it may have been a quick format used by my vista disc (old files may be recoverable). Im still not certain that the system was infected, as this DbgagD registry entry had probably been there for at least a week or two at the most, and I had no problems with anything running at all-similar to the users here:
http://www.bleepingcomputer.com/forums/topic423545.html/page__gopid__2441976#entry2441976
http://www.bleepingcomputer.com/forums/topic279163.html/page__st__15

I did have some pre-xp era software installed, but the workarounds came from legit websites-I still think it could have been a vista issue/corrupt registry and false alarm, but I might still consider changing firewall and antivirus. if it happens again then at least ill know that this is true-ill keep rechecking that registry to make sure it doesnt re-appear. thanks

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:14 AM

Posted 15 October 2011 - 04:52 PM

Thanks for the feedback. Should I consider this issue as resolved?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 thedarkness

thedarkness
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 16 October 2011 - 06:13 AM

Needed, or a genuine infection that wasnt able to do much damage, I may never know 100%, but ntfs.sys seems a common target to render a system unbootable for trojans. All my software is legit, so I dont know how an infection could get through. Ill have to consider it fixed, since Ive now gotten rid of it, but has Combofix ever found false positives and deleted much needed system files to render a system unbootable on anyone elses machine?

As a test, Ill be reinstalling all my previous software, and rechecking that registry location each time. Im not sure if I should check immediately afterwards, or on a restart after each installation, to be more accurate? If it re-appears, then I will post what I installed just before-could it have been old software creating an issue with the registry and therefore corruption or false positive? Or was it more likely to be a trojan that seemingly could either do absolutely nothing, or was waiting until the right time, lol. I had alot of anti-malware programs installed alongside comodo, perhaps that prevented it connecting to the outside, but I was never given any warnings. Perhaps only premium antivirus software will do that, lol. Can I get a trojan by simply visiting websites? If so then I may need more tools installed to avoid known 'bad' sites, although Im not sure how effective the big brand browser toolbars can be at that! Thanks

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:14 AM

Posted 16 October 2011 - 08:51 AM

Has Combofix ever found false positives and deleted much needed system files to render a system unbootable on anyone elses machine?

No. Combofix will never render a computer unbootable, unless instructions are not followed. A firewall or antivirus however may cause unpredictable results.

Can I get a trojan by simply visiting websites?

Yes. Every page must be downloaded in order to be seen. So, yes, your computer can get infected just by visiting an unfriendly site.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 thedarkness

thedarkness
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 16 October 2011 - 12:34 PM

A firewall or antivirus however may cause unpredictable results.

Theres the possibility of untrustworthy websites giving me a trojan, but I tend not to browse in that manner, lol. I was disconnected from the net, and my firewall and antivirus were also turned off completely-on the second combofix attempt. I dont think any processes from my antivirus or firewall were still running. Combofix simply deleted a much needed system file and as a result the machine wouldnt boot. Combofix giving me the blue screen the first time (days before) was perhaps to be expected if my firewall may have been still running, but not on the second attempt. So the SMILEY FACE on the combofix screen with 'found and deleted NTFS.sys recognised xx trojan' wasnt a 'you've been had-this program is your real problem LOL' remark after all? :) I still want to find out where that registry entry could have been originally from (program or website), and even if it was a genuine trojan, what exactly it did. Google yields almost no results-most posts (that arent mine on mutiple forums) are only from the past couple of weeks, although the earliest time this awkward registry entry was found was 2009. The machine had no problems if I had just left it alone, and aside from avira recognising the file as 'hidden'-did no damage. It would seem avira,comodo,malwarebytes,spywareblaster,trendmicro and kaspersky TDSS killer have all proven to be useless, as this file could get through and remain undetected, if it was a genuine trojan. Thanks

Edited by thedarkness, 16 October 2011 - 12:36 PM.


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:14 AM

Posted 16 October 2011 - 01:12 PM

Very well.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users