Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Malware Infection & PC is running wrong version of Windows XP


  • This topic is locked This topic is locked
27 replies to this topic

#1 besscella

besscella

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:01 AM

Posted 15 September 2013 - 12:25 PM

Hi

 

The nub of my problem is that my PC was infected recently by at least two high classed viruses called

 

Win32:Malware-gen

Win32:Rustock-AY

 

And five other threats also.  (I didn't take note of the names of the other threats, sorry, but I think those five were removed successfully.)  One of the above two viruses was removed successfully and I'm not sure if the other threat / virus is still on my PC or not.

 

The details of this problem can be found in the link below.

 

But to summarise: My PC was running Windows XP Professional SP3 prior to me running the avast antivirus software.  Then afterwards, on reboot after a partial boot-scan (I stopped the bootscan), my PC is now running Windows XP Home Edition and I have no idea why.

 

I would love if you could help me to get my computer running properly again, please.

 

I've been getting some help for this problem in the forum entitled 'Am I Infected?'  The man who's been helping me, noknojon, said that they can't help me any further in that forum and suggested that I follow the

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help.

 

He also asked me to post a link to my post on the 'Am I Infected?' forum.  The title of my thread is

PC should be running Windows Professional XP now running Windows Home???

And here's the link to that post:

 

http://www.bleepingcomputer.com/forums/t/507504/pc-should-be-running-windows-professional-xp-now-running-windows-home/

 

I think the above link is what he asked me to send you.  Basically he asked me to post the logs he had linked, and so I think that meant I was supposed to send you the link to my post as I have done above.  If I've messed up please let me know.

 

All the details of the problems I've been having and the steps I've taken so far can be found in my previous post (see address link above.).

 

I don't know whether I'm infected or not as he didn't mention any infection in his instructions to me, but perhaps you'll be able to tell from the logs posted in the above link.   Also I have no idea what the logs mean or how to read them.  Sorry.

 

On that note, I feel it's important to tell you that I only know a little bit about computers.  Most of this is like Chinese to me.  I'm just following instructions here in the order that they are given to me.  And I'm trusting that you guys and gals know what you are doing as I haven't a clue.  So if you wouldn't mind, if further instruction is needed to fix my computer, and I'm thinking it will be, will you please make your instructions step by step and as clear as possible, please?  Thanks.  I appreciate it.  And make the order of the steps crystal clear also please.  I'm afraid that if I do things in the wrong order then I'll mess up my PC even more than it is already.  Thanks.

 

Now having said all of that, noknojon told me to tell you that I have a Windows XP Professsional SP3 CD, as this would maybe make your job easier.

 

I ran the dds program and here is the log from the dds.txt file:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by SharonC at 17:12:23 on 2013-09-15
.
============== Running Processes ================
.
C:\Program Files\HitmanPro\hmpsched.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Giraffic\Veoh_GirafficWatchdog.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Giraffic\Veoh_Giraffic.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: VideoFileDownload: {0931BD3F-547E-45C1-B133-D0E995645DBA} -
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: isoHunt-Vuze Toolbar: {6c3a1de1-94ca-4ad6-acdf-c1324adc487b} - c:\program files\isohunt-vuze\tbIso2.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: VideoFileDownload: {BA0454C5-FD30-428E-8DB9-3FF87A612F64} -
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Media Star Toolbar: {dfabc5b5-039b-4865-979a-de31cdf3e351} - c:\program files\media_star\prxtbMed0.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: isoHunt-Vuze Toolbar: {6c3a1de1-94ca-4ad6-acdf-c1324adc487b} - c:\program files\isohunt-vuze\tbIso2.dll
TB: Media Star Toolbar: {dfabc5b5-039b-4865-979a-de31cdf3e351} - c:\program files\media_star\prxtbMed0.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1340473970054
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game13.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
TCP: NameServer = 89.101.160.5 89.101.160.4
TCP: Interfaces\{0F0E9337-3E4E-4834-B955-69E8E2E954CB} : DHCPNameServer = 89.101.160.5 89.101.160.4
TCP: Interfaces\{D629EEE3-FE2C-46B7-84E5-F69F6C292BB5} : DHCPNameServer = 62.40.32.33 8.8.8.8
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: ahgggkqo - ahgggkqo.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.66\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sharonc.sharon\application data\mozilla\firefox\profiles\6044tzwz.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlhtml5videoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlpepperflashvideoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\npdlplugin.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\browser\nppdf32(2).dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1202122.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_168.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-09-05 17:53; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R? BBSvc;Bing Bar Update Service
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? fsssvc;Windows Live Family Safety Service
R? HssWd;Hotspot Shield Monitoring Service
R? Lbd;Lbd
R? Netaapl;Apple Mobile Device Ethernet Service
R? rhwa;rhwa
R? SkypeUpdate;Skype Updater
R? WinRM;Windows Remote Management (WS-Management)
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? !SASCORE;SAS Core Service
S? A2DDA;A2 Direct Disk Access Support Driver
S? aswFsBlk;aswFsBlk
S? aswMonFlt;aswMonFlt
S? aswRvrt;aswRvrt
S? aswSnx;aswSnx
S? aswSP;aswSP
S? aswVmm;aswVmm
S? avast! Antivirus;avast! Antivirus
S? BBUpdate;BBUpdate
S? dlcx_device;dlcx_device
S? fssfltr;fssfltr
S? Giraffic;Veoh Giraffic Video Accelerator
S? HitmanProScheduler;HitmanPro Scheduler
S? McrdSvc;Media Center Extender Service
S? npf;NetGroup Packet Filter Driver
S? PSI;PSI
S? RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
S? Secunia PSI Agent;Secunia PSI Agent
S? Secunia Update Agent;Secunia Update Agent
.
=============== File Associations ===============
.
ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~2\office\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2013-09-15 16:11:39    --------    d-----w-    c:\documents and settings\sharonc.sharon\application data\SUPERAntiSpyware.com
2013-09-15 02:16:09    --------    d-----w-    c:\program files\PowerISO
2013-09-15 00:52:08    --------    d-----w-    c:\program files\Nero
2013-09-15 00:51:37    --------    d-----w-    c:\documents and settings\all users\application data\Nero
2013-09-13 00:35:40    --------    d-----w-    c:\documents and settings\sharonc.sharon\application data\Malwarebytes
2013-09-12 21:36:06    --------    d-----w-    c:\program files\Speccy
2013-09-12 01:27:14    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-12 01:27:14    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-12 00:06:59    --------    d-----w-    c:\documents and settings\sharonc.sharon\application data\Windows Search
2013-09-11 22:02:54    --------    d-----w-    c:\documents and settings\sharonc.sharon\application data\uTorrent
2013-09-11 15:39:34    262552    ----a-w-    c:\program files\mozilla firefox\browser\components\browsercomps.dll
2013-09-11 15:13:56    --------    d-----w-    c:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-09-11 14:26:10    --------    d-----w-    c:\documents and settings\sharonc.sharon\local settings\application data\Google
2013-09-11 14:25:55    --------    d-----w-    c:\documents and settings\sharonc.sharon\local settings\application data\Mozilla
2013-09-11 14:25:07    --------    d-----w-    c:\documents and settings\sharonc.sharon\local settings\application data\Identities
2013-09-11 14:24:24    --------    d-----w-    c:\documents and settings\sharonc.sharon\local settings\application data\Roxio
2013-09-11 14:21:38    --------    d-sh--w-    c:\documents and settings\sharonc.sharon\IETldCache
2013-09-11 14:21:38    --------    d-----w-    c:\documents and settings\sharonc.sharon\local settings\application data\Microsoft
2013-09-11 14:21:38    --------    d-----w-    c:\documents and settings\sharonc.sharon\local settings\application data\Apple Computer
2013-09-11 00:26:40    9430408    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2013-09-05 16:55:18    770344    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-09-05 16:55:17    177864    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-09-05 16:55:16    49376    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-09-05 16:55:14    66336    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-09-05 16:52:52    41664    ----a-w-    c:\windows\avastSS.scr
2013-09-05 16:51:10    --------    d-----w-    c:\program files\AVAST Software
2013-09-05 16:49:55    --------    d-----w-    c:\documents and settings\all users\application data\AVAST Software
2013-09-05 15:23:47    --------    d-----w-    c:\program files\RealNetworks
2013-09-05 15:23:45    --------    d-----w-    c:\documents and settings\all users\application data\RealNetworks
2013-09-05 15:22:42    --------    d-----w-    c:\program files\common files\xing shared
2013-09-05 14:04:02    209272    ----a-w-    c:\program files\mozilla firefox\plugins\nppdf32.dll
2013-09-05 14:04:02    209272    ----a-w-    c:\program files\internet explorer\plugins\nppdf32.dll
2013-08-20 23:13:39    --------    d-----w-    c:\windows\system32\winrm
2013-08-20 23:13:31    --------    dc----w-    c:\windows\$968930Uinstall_KB968930$
2013-08-20 23:10:28    --------    d-----w-    c:\windows\system32\GroupPolicy
2013-08-20 23:10:28    --------    d-----w-    c:\program files\Windows Desktop Search
2013-08-20 23:08:52    98304    -c----w-    c:\windows\system32\dllcache\nlhtml.dll
2013-08-20 23:08:52    29696    -c----w-    c:\windows\system32\dllcache\mimefilt.dll
2013-08-20 23:08:51    192000    -c----w-    c:\windows\system32\dllcache\offfilt.dll
2013-08-20 03:23:57    --------    d-----w-    c:\windows\system32\NtmsData
.
==================== Find3M  ====================
.
2013-09-05 15:20:14    499712    ----a-w-    c:\windows\system32\msvcp71.dll
2013-09-05 15:20:14    348160    ----a-w-    c:\windows\system32\msvcr71.dll
2013-08-09 01:56:45    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-08 06:05:59    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-08-08 06:05:59    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-08-08 06:05:59    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-08-08 06:05:58    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-08-08 01:27:48    1877760    ----a-w-    c:\windows\system32\win32k.sys
2013-08-08 00:02:34    385024    ------w-    c:\windows\system32\html.iec
2013-08-05 13:30:32    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-08-03 13:18:38    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-07-13 18:52:44    6216    --sha-w-    c:\windows\system32\KGyGaAvL.sys
2013-07-13 18:52:29    104    --sh--r-    c:\windows\system32\5F8AD11885.sys
2013-07-10 10:37:53    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-04 03:03:25    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-28 18:55:45    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-28 18:55:44    867240    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-06-28 18:55:44    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-28 18:55:44    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2010-01-26 11:11:08    444283    ----a-w-    c:\program files\common files\WinPcapNmap.exe
.
============= FINISH: 17:14:08.29 ===============
 

 

Please see attachments for the attach.txt file.

 

Thanks in advance for any help you can offer.

 

Sharon.

Attached Files


Edited by besscella, 15 September 2013 - 12:38 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:01 AM

Posted 19 September 2013 - 01:50 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===


Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 besscella

besscella
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:01 AM

Posted 19 September 2013 - 02:53 PM

Hi Nasdaq,

 

Just wanted to say a quick thank you for your speedy reply. 

 

My printer isn't working a the moment but I can get this printed out either at work or at my parents house by the weekend.  So if there's a delay in my replying to this post, then that's the reason why.

 

Thanks again,  and I'll be in touch soon.

 

Cheers,

 

Sharon.



#4 besscella

besscella
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:01 AM

Posted 20 September 2013 - 04:33 PM

Hi Nasdaq,

 

You said to let you know of any problems that persist.  Well first of all I can now see my system information where I couldn't before.  The name of my OS system is listed as Windows XP Professional SP3 build 2600.  Unfortunately my system is still running Windows XP Home Edition.  

 

I'm not sure if I did the right thing earlier.  At the point when Combofix was attempting to download and install the Microsoft Windows recovery console, it asked me if my computer was running Windows XP Home Edition, and because my system IS currently running the Windows XP Home Edition I said Yes.  But my system SHOULD be running WINDOWS XP PROFESSIONAL SP3. 

 

So I'm wondering if that's why my computer is still running the home edition instead of the professional version.  I would love to have my computer running the Windows XP Professional version again and I'd appreciate any help you can give to get it back to that state.  I have a Windows XP Professsional CD.  Will I be able to get the Windows XP Professional version of the Windows recovery console?

 

Also, I have a program that runs on DOS.  It's called Smart Luck.  This has been messed up by Combofix.  It's just a lottery program and I have a copy of it on a USB stick so I can delete this version and reinstall from the USB stick.  The problem I'm having with this program is that when I run it I am given an error message  and here is that message word for word:

 

C:\SMARTL~1\gh\gail.exe

SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers.  Virtual Device Driver format in the registry is invalid.  Choose 'Close' to terminate application.

 

                                               Close                      Ignore

 

I usually choose Ignore and the program normally runs just fine.  Today however when I tried to run the program after Combofix finished running, there were all sorts of letters and symbols in places where they shouldn't have been.  I was just wondering if it's possible to get the virtual device driver sorted out.  I can delete the program and reinstall it but I don't think that will sort out the virtual device driver issue.  So any help you can offer here would be greatly appreciated.  (I'm not sure if this problem is related to any malware infections.)

 

I haven't noticed anything else wrong apart from the virtual device drivers error and the fact that my system is still running the wrong version of Windows XP.

 

In any case here are the logs from the programs that I ran as per your instructions:

 

The log from AdwCleaner[S0].txt:

 

# AdwCleaner v3.004 - Report created 20/09/2013 at 00:17:18
# Updated 15/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : SharonC - SHARON
# Running from : C:\Documents and Settings\SharonC.SHARON\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Premium
Folder Deleted : C:\Program Files\1ClickDownload
Folder Deleted : C:\Program Files\adawaretb
Folder Deleted : C:\Program Files\fbphotozoom
Folder Deleted : C:\Program Files\iMesh Applications
Folder Deleted : C:\Program Files\Smartdl
Folder Deleted : C:\Program Files\Isohunt-vuze
Folder Deleted : C:\Program Files\Media_Star
File Deleted : C:\Documents and Settings\All Users\Desktop\YourFile Downloader.lnk
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\iMeshWebSearch.xml

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pmlghpafmmnmmkjdhacccolfgnkiboco
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\SOFTWARE\Classes\1ClicktorrentFile
Key Deleted : HKLM\SOFTWARE\Classes\1ClicktorrentFile1
Key Deleted : HKLM\SOFTWARE\Classes\oneclick
Key Deleted : HKLM\SOFTWARE\Classes\oneclickmg
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C3A1DE1-94CA-4AD6-ACDF-C1324ADC487B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4324CF11-5CC0-4750-A02D-C90947E214CF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DFABC5B5-039B-4865-979A-DE31CDF3E351}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CE358899-1C9C-4293-8B38-9CF8DB99892D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E1F9049A-184F-4134-95E1-3EDCE1009E45}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C3A1DE1-94CA-4AD6-ACDF-C1324ADC487B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DFABC5B5-039B-4865-979A-DE31CDF3E351}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4324CF11-5CC0-4750-A02D-C90947E214CF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CE358899-1C9C-4293-8B38-9CF8DB99892D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E1F9049A-184F-4134-95E1-3EDCE1009E45}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1230296-345A-4744-8D71-6FFCC467D803}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9A3D33DC-1524-4B3D-9C5A-3CE80D503EAB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1BAF78DC-B9C3-4228-8435-F5D83A2A6346}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{10A9C4D3-980E-424F-8A5E-32566BA9324F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4B582F6-23DC-4A32-877E-54766048D032}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C3A1DE1-94CA-4AD6-ACDF-C1324ADC487B}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{DFABC5B5-039B-4865-979A-DE31CDF3E351}]
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List [C:\Program Files\iMesh Applications\iMesh\iMesh.exe]
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\iMesh Applications\iMesh\iMesh.exe]
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\adawaretb\dtUser.exe]
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\1ClickDownload\1ClickDownload.exe]
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\YourFileDownloader\Downloader.exe]
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\YourFileDownloader\YourFile.exe]
Key Deleted : HKLM\Software\iMeshMediabarTb
Key Deleted : HKLM\Software\Isohunt-vuze
Key Deleted : HKLM\Software\Media_Star
Key Deleted : HKLM\Software\Vuze_Remote
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adawaretb
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Complitly_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iMesh 1 MediaBar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Isohunt-vuze Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Media_Star Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vuze_Remote Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\adawaretb
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Complitly_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\iMesh 1 MediaBar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\incredibar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Isohunt-vuze Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Media_Star Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Vuze_Remote Toolbar
Product Deleted : BabylonObjectInstaller

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v23.0.1 (en-US)

-\\ Google Chrome v29.0.1547.66

*************************

AdwCleaner[R0].txt - [7709 octets] - [20/09/2013 00:02:55]
AdwCleaner[R1].txt - [7769 octets] - [20/09/2013 00:13:17]
AdwCleaner[S0].txt - [7852 octets] - [20/09/2013 00:17:18]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7912 octets] ##########
 

 

Here is the log from JRT.txt:

 

Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.1 (09.15.2013:1)
OS: Microsoft Windows XP x86
Ran by SharonC on 20/09/2013 at  0:42:28.62
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully stopped: [Service] hsswd
Successfully deleted: [Service] hsswd



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4B2468513CA2D6943A1A233CD3F88CE7
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0454C5-FD30-428E-8DB9-3FF87A612F64}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\SharonC.SHARON\Application Data\adawaretb"
Successfully deleted: [Folder] "C:\Program Files\free youtube downloader"
Successfully deleted: [Folder] "C:\Program Files\openapp"



~~~ FireFox

Successfully deleted: [File] C:\user.js
Failed to delete: [File] "C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 20/09/2013 at  2:55:22.39
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

Here is the log from Combofix log.txt:

 

ComboFix 13-09-19.01 - SharonC 20/09/2013  21:19:20.1.2 - x86
Running from: c:\documents and settings\SharonC.SHARON\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DragToDiscUserNameJ.txt
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgfinst.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\crt_x64.msi
c:\documents and settings\All Users\Application Data\TEMP\AVG\files.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupcz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupda.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupfr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupge.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuphu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupin.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupit.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupjp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupko.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupms.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupnl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsk.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuptr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupzh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupzt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredis1.cab
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredist.msi
c:\documents and settings\SharonC\g2mdlhlpx.exe
c:\documents and settings\SharonC\thinsetting.tmp
c:\documents and settings\SharonC\WINDOWS
c:\program files\intellidownload\gunzip.exe
c:\windows\jestertb.dll
c:\windows\wininit.ini
E:\install.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SYNSEND
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-20 to 2013-09-20  )))))))))))))))))))))))))))))))
.
.
2013-09-20 20:40 . 2013-09-20 20:40    30976    ----a-w-    c:\windows\system32\drivers\hitmanpro37.sys
2013-09-19 23:42 . 2013-09-19 23:42    --------    d-----w-    c:\windows\ERUNT
2013-09-19 23:02 . 2013-09-19 23:17    --------    d-----w-    C:\AdwCleaner
2013-09-15 18:12 . 2013-09-15 18:12    --------    d-----w-    c:\program files\Cobian Backup 11
2013-09-15 02:16 . 2013-09-15 02:16    --------    d-----w-    c:\program files\PowerISO
2013-09-15 01:04 . 2013-09-15 01:04    --------    d-----w-    c:\program files\Windows Sidebar
2013-09-15 00:52 . 2013-09-15 01:05    --------    d-----w-    c:\program files\Nero
2013-09-15 00:51 . 2013-09-15 01:20    --------    d-----w-    c:\program files\Common Files\Nero
2013-09-15 00:51 . 2013-09-15 00:58    --------    d-----w-    c:\documents and settings\All Users\Application Data\Nero
2013-09-12 21:36 . 2013-09-12 21:36    --------    d-----w-    c:\program files\Speccy
2013-09-12 01:27 . 2013-09-12 01:27    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-12 01:27 . 2013-09-12 01:27    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-11 15:13 . 2013-09-11 16:16    --------    d-----w-    c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-09-11 14:21 . 2013-09-12 12:57    --------    d-----w-    c:\documents and settings\SharonC.SHARON
2013-09-11 00:26 . 2013-09-12 01:26    9430408    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2013-09-05 16:55 . 2013-08-30 07:48    369584    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2013-09-05 16:55 . 2013-08-30 07:48    29816    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2013-09-05 16:55 . 2013-08-30 07:48    56080    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-09-05 16:55 . 2013-08-30 07:48    770344    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-09-05 16:55 . 2013-08-30 07:48    49760    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2013-09-05 16:55 . 2013-08-30 07:48    177864    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-09-05 16:55 . 2013-08-30 07:48    49376    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-09-05 16:55 . 2013-08-30 07:48    66336    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-09-05 16:55 . 2013-08-30 07:47    229648    ----a-w-    c:\windows\system32\aswBoot.exe
2013-09-05 16:52 . 2013-08-30 07:47    41664    ----a-w-    c:\windows\avastSS.scr
2013-09-05 16:51 . 2013-09-05 16:51    --------    d-----w-    c:\program files\AVAST Software
2013-09-05 16:49 . 2013-09-05 16:51    --------    d-----w-    c:\documents and settings\All Users\Application Data\AVAST Software
2013-09-05 15:23 . 2013-09-05 15:23    --------    d-----w-    c:\program files\RealNetworks
2013-09-05 15:23 . 2013-09-05 15:23    --------    d-----w-    c:\documents and settings\All Users\Application Data\RealNetworks
2013-09-05 15:22 . 2013-09-05 15:22    --------    d-----w-    c:\program files\Common Files\xing shared
2013-09-05 14:04 . 2013-09-05 14:04    209272    ----a-w-    c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2013-09-05 14:04 . 2013-09-05 14:04    209272    ----a-w-    c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-05 15:20 . 2011-09-05 14:06    348160    ----a-w-    c:\windows\system32\msvcr71.dll
2013-09-05 15:20 . 2009-04-02 21:56    499712    ----a-w-    c:\windows\system32\msvcp71.dll
2013-08-09 01:56 . 2004-08-10 11:00    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-08 06:05 . 2006-03-04 03:33    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2004-08-10 11:00    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2004-08-10 11:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-08-08 06:05 . 2004-08-10 11:00    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-08-08 01:27 . 2004-08-10 11:00    1877760    ----a-w-    c:\windows\system32\win32k.sys
2013-08-08 00:02 . 2004-08-10 11:00    385024    ------w-    c:\windows\system32\html.iec
2013-08-05 13:30 . 2004-08-10 11:00    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-08-03 13:18 . 2006-10-18 20:47    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-07-10 10:37 . 2004-08-10 11:00    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2005-03-30 01:21    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2005-03-30 01:01    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-28 18:55 . 2013-06-28 18:55    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-28 18:55 . 2012-07-23 18:05    867240    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-06-28 18:55 . 2011-06-16 18:22    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-28 18:55 . 2010-05-08 00:28    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2010-01-26 11:11 . 2013-02-28 17:17    444283    ----a-w-    c:\program files\Common Files\WinPcapNmap.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-08-30 07:47    121968    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-24 868352]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-09-05 295512]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-08-30 4858968]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-08-16 152392]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-07-27 180224]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE -b -l [1999-2-17 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe  /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^SharonC^Start Menu^Programs^Startup^GooHay!.lnk]
path=c:\documents and settings\SharonC\Start Menu\Programs\Startup\GooHay!.lnk
backup=c:\windows\pss\GooHay!.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^SharonC^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\SharonC\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^SharonC^Start Menu^Programs^Startup^sc_start.lnk]
path=c:\documents and settings\SharonC\Start Menu\Programs\Startup\sc_start.lnk
backup=c:\windows\pss\sc_start.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShaPlus Bandwidth Meter]
c:\program files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Browsing Protection]
2011-10-21 09:09    198032    ----a-w-    c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06    958576    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-10-06 00:52    59240    ----a-w-    c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-21 20:43    59720    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 13:54    91520    ----a-w-    c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2005-08-31 10:06    106496    ----a-w-    c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08    1259376    ----a-w-    c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcxmon.exe]
2006-11-03 22:04    291720    ----a-w-    c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 12:56    64512    ----a-w-    c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2006-11-03 22:09    312200    ----a-w-    c:\program files\Dell PC Fax\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-07-21 17:50    86016    ----a-w-    c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-07-21 17:48    98304    ----a-w-    c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
2006-11-03 22:04    304008    ----a-w-    c:\program files\Dell Photo AIO Printer 926\memcard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-08-22 00:18    6276408    ----a-w-    c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12    3872080    ----a-w-    c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-07-21 17:47    81920    ----a-w-    c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 17:36    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-06-23 20:12    319488    ----a-w-    c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-01 17:44    65536    ----a-w-    c:\program files\Common Files\Roxio Shared\System\EngUtil.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-20 15:00    282624    ----a-w-    c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 12:33    17418928    ----a-r-    c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07    2260480    --sha-r-    c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SubVid]
2008-09-16 08:02    139264    ----a-w-    c:\program files\MindMovies\Subliminal\SubVid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-03-12 06:32    253816    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-09-05 15:21    295512    ----a-w-    c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
2007-02-20 11:07    199752    ----a-w-    c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2011-08-25 11:13    2816328    ----a-w-    c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\umi.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MasterWriter 2.0\\jre\\bin\\java.exe"=
"c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"=
"c:\\Program Files\\Micracom\\Lottery Statistic Anaylser\\LSAv4.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Writer's Blocks 4\\wblocks4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\WUAUCLT.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Giraffic\\Veoh_Giraffic.exe"=
"c:\\Program Files\\Giraffic\\Veoh_GirafficWatchdog.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [05/09/2013 17:55 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [05/09/2013 17:55 177864]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\Administrator.SHARON\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys [12/01/2013 03:40 17904]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [05/09/2013 17:55 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [05/09/2013 17:55 369584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [12/08/2011 00:38 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/09/2013 17:55 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [05/09/2013 17:55 66336]
R2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [21/10/2011 16:23 196176]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [13/10/2011 18:21 249648]
R2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;c:\program files\Cobian Backup 11\cbVSCService11.exe [15/09/2013 19:12 67584]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 Giraffic;Veoh Giraffic Video Accelerator;c:\program files\Giraffic\Veoh_GirafficWatchdog.exe --service --> c:\program files\Giraffic\Veoh_GirafficWatchdog.exe --service [?]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [10/01/2013 16:16 106280]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [27/01/2010 03:09 50704]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [14/08/2013 15:19 39056]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [26/11/2012 15:09 1225312]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [26/11/2012 15:09 659040]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [26/03/2012 04:02 47360]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 rhwa;rhwa;c:\windows\system32\drivers\yykkiru.sys --> c:\windows\system32\drivers\yykkiru.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [13/06/2011 02:32 18432]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 09:30 15544]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-05 18:38    1177552    ----a-w-    c:\program files\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-12 01:27]
.
2013-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2013-09-20 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-09-05 07:47]
.
2013-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-05 13:26]
.
2013-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-05 13:26]
.
2013-09-20 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-507921405-1364589140-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 16:13]
.
2013-09-20 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-507921405-1364589140-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 16:13]
.
2013-09-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-507921405-1364589140-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 16:13]
.
2013-09-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-507921405-1364589140-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 16:13]
.
2013-09-20 c:\windows\Tasks\User_Feed_Synchronization-{B0DDDF40-9315-4328-93A0-9FD22D11F95C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 89.101.160.5 89.101.160.4
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game13.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\SharonC.SHARON\Application Data\Mozilla\Firefox\Profiles\6044tzwz.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - ExtSQL: 2013-09-05 17:53; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-ahgggkqo - ahgggkqo.dll
MSConfigStartUp-mnumsg - c:\program files\MyShoppingGenie\mnumsg.exe
MSConfigStartUp-yiaYdRfrCjDkrP - c:\documents and settings\All Users\Application Data\yiaYdRfrCjDkrP.exe
AddRemove-Advanced RAR Password Recovery - c:\program files\ElcomSoft\ARPR\uninstall.exe
AddRemove-Hotspot Shield - c:\program files\Hotspot Shield\uninst.exe
AddRemove-vfd-ob - c:\program files\OpenApp\vfd-ob_uninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{A7E19604-93AF-4611-8C9F-CE509C2B286F}_is1 - c:\program files\Free YouTube Downloader\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-20 21:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET]
"ImagePath"="c:\program files\Common Files\Microsoft Shared\MSINFO\asp.net"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3236)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlcxcoms.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Giraffic\Veoh_GirafficWatchdog.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Giraffic\Veoh_Giraffic.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2013-09-20  21:51:30 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-20 20:51
.
Pre-Run: 10,969,452,544 bytes free
Post-Run: 13,217,169,408 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 32265C8775899C4890757E2591959B32
8F558EB6672622401DA993E1E865C861
 

 

I look forward to hearing from you soon, well soon-ish.  lol. 

 

Thanks,

 

Sharon.



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:01 AM

Posted 21 September 2013 - 09:00 AM

I'm not sure if I did the right thing earlier. At the point when Combofix was attempting to download and install the Microsoft Windows recovery console, it asked me if my computer was running Windows XP Home Edition, and because my system IS currently running the Windows XP Home Edition I said Yes. But my system SHOULD be running WINDOWS XP PROFESSIONAL SP3.

If all is running well with this computer I do not wish to suggest anything about changing anything that could render you computer useless.
To me this is not a matter of malware and I do feel confident to suggest anything. My moto is if it's not broken do not fix it.

 

Also, I have a program that runs on DOS. It's called Smart Luck. This has been messed up by Combofix. It's just a lottery program and I have a copy of it on a USB stick so I can delete this version and reinstall from the USB stick. The problem I'm having with this program is that when I run it I am given an error message and here is that message word for word:

C:\SMARTL~1\gh\gail.exe
SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate application.

The folder or file where Smart Luck is located was not targeted by ComboFix or the AdwCleaner as far as I can see.

I found this article that refers to Virtual Device Driver format in the registry is invalid.
http://support.microsoft.com/kb/254914
It's for a windows 2000 computer. I found topics that say that it's good for 2000 and XP.

Let me check the registry before re-installing.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:

    :reg
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers\VDD /sub
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.[/*
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
    ===


#6 besscella

besscella
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:01 AM

Posted 21 September 2013 - 05:06 PM

Hi Nasdaq,

 

I'm not sure what exactly you were asking me to do.  So I just copied and pasted the emboldened words below into the text area of the System Look program and then I clicked Look to run the program.   

 

:reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers\VDD /sub

 

I know you said that I am supposed to copy the content of this line into the main text field.  But to be honest with you I have no idea what that means or even how I would go about finding the content of that line.  So I'm hoping I did the right thing.  If not, please let me know where I went wrong and what it was that I was supposed to do.

 

In any case, here's the log from System Look.txt:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 22:53 on 21/09/2013 by SharonC
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers\VDD]
(Unable to open key - key not found)

-= EOF =-

 

 

With regards to my Smart Luck program, I don't think that uninstalling and reinstalling it will solve the virtual device driver errors.  I only expect that it will get rid of all the weird symbols and numbers and letters that shouldn't be there.  Smart Luck used to run just fine when I clicked on 'Ignore', this was before I ran Combofix.  After running Combofix, there are all kinds of wierd symbols all over the charts. 

 

Also, on a different note, I forgot to mention in my previous post that when I click on My Documents, my computer opens up a folder that appears to be a different My Documents folder to the one I used to have access to before my computer stopped running Windows XP Professional.  The current My Documents folder is practically empty apart from two or three folders.  All of my Word documents are held in a different folder called My Documents.  How do I fix this?  it would be nice to be able to access the full My Documents folder when I click on My Documents in the Start Menu.   

 

Also, how do I get my system to run Windows XP Professional again?

 

Thanks,

 

Sharon.


Edited by besscella, 21 September 2013 - 08:10 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:01 AM

Posted 22 September 2013 - 08:45 AM

When Combofix start it normally creates a Restore point.

See if you can restore this point in time that ComboFix created.

Keep me posted.

#8 besscella

besscella
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:01 AM

Posted 22 September 2013 - 10:55 AM

Hi Nasdaq,

 

I chose September 21 2013 as my restore point and put the program through its paces.  The end result was that it restored successfully to this date.

 

 

Thanks,

 

Sharon.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:01 AM

Posted 22 September 2013 - 12:58 PM

Any issues with this restore.

Is everything back to normal?

#10 besscella

besscella
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:01 AM

Posted 22 September 2013 - 02:46 PM

There were no issues with the restore that went smoothly. 

 

However everything is NOT back to normal.  My computer is STILL running Windows XP Home edition in spite of the fact that when I check my System Information, it names my OS as being Windows XP Professional SP3.

 

The My Documents shortcut in the Start Menu still points to the wrong folder and its a real pain in the a**.

 

Apart from that, I haven't noticed anything to report.  But then I don't really know what else I should be looking out for!  My knowledge of computers is quite limited.

 

So if you have any suggestions of things I need to check out to be sure my system is running properly  (apart from the Windows XP Professional issue), then feel free to suggest and I'll follow your instructions.

 

Cheers,

 

Sharon.

 

PS.  I am hoping that at some point in this process that you will be helping me to restore my system to running Windows XP Professional after you've helped me take care of all the malware etc.  Will you be helping me to do this?  I'd appreciate it if you'd let me know where you stand on this please.  Thanks


Edited by besscella, 22 September 2013 - 02:54 PM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:01 AM

Posted 23 September 2013 - 07:29 AM

The My Documents shortcut in the Start Menu still points to the wrong folder and its a real pain in the a**.


I do not have an XP computer to test this.
How ever in my Windows 7 if I Right Click My Document and look at the properties I can change the location of use the default.
If you have that option change it and hit the Apply button if needed.
===

So if you have any suggestions of things I need to check out to be sure my system is running properly (apart from the Windows XP Professional issue), then feel free to suggest and I'll follow your instructions.


This and the previous Document problems may be better answered in the Windows XP forum
http://www.bleepingcomputer.com/forums/forum56.html

Start a new topic and someone with experience with this Operating system may be able to give you better advice.

I do not wish to suggest something that might just damage further your situation.

#12 besscella

besscella
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:01 AM

Posted 23 September 2013 - 08:34 AM

Hi Nasdaq,

 

I was thinking I might have to start a new topic for the Windows XP Professional issue.  That's fine, thanks for that. 

 

Also, Do you think that the malware caused any damage to my computer and do you think that the malware is all gone now? 

 

In other words if I attempt to get Windows XP Professional running on my computer, do you think that might do more harm than good?

 

Thanks,

 

Sharon.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:01 AM

Posted 23 September 2013 - 10:08 AM

Also, Do you think that the malware caused any damage to my computer and do you think that the malware is all gone now?


Not sure. I will keep this topic open. If you strange issues other then the XP.... then let me know.
===

In other words if I attempt to get Windows XP Professional running on my computer, do you think that might do more harm than good?

Difficult to say. When all is well I usually leave it alone.

Check with the XP experts.

#14 besscella

besscella
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:01 AM

Posted 23 September 2013 - 11:00 AM

Hi Nasdaq,

 

Thanks for getting back to me.  I'll keep an eye out for anything unusual.  Thanks for keeping this post open.  I'll let you know if I come across anything odd.

 

I'll check with the experts regarding my Windows XP Professional issue and see what they have to say.

 

Thanks for all your help so far.  I really appreciate it. 

 

 

Cheers,

 

Sharon. :clapping:



#15 besscella

besscella
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:01 AM

Posted 25 September 2013 - 01:02 PM

Hi Nasdaq,

 

I just wanted to ask you something about Combofix.exe and restore points.

 

Earlier today I did a system restore to a point just before I'd run combofix.exe (i.e. 19th September) to see if I could run my Smart Luck Lottery program and as it turns out my Lottery program ran just fine.

 

I undid that restore and re-restored my system to the 24th September just to be on the safe side.  And this is my point.

 

So my question to you is; If I restore my system to a point before Combofix.exe ran, am I then undoing all the good that Combofix.exe has carried out?

 

Kind Regards,

 

Sharon.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users