Gloria's daughter, Sonja got some viruses on her machine. I had to run Killbits before Malwarebytes would run.
Killbits Log :
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 15/05/2011 at 13:39:55.
Operating System: Microsoft Windows XP
Processes terminated by Rkill or while it was running:
C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe
D:\XPSOFT~1\UTILIT~1\Norton\SPEEDD~1\nopdb.exe
C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe
C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe
C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe
C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe
C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe
Rkill completed on 15/05/2011 at 13:40:01.
After that I was able to run Malwarebytes.
Malwarebytes Log :
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6585
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
15/05/2011 2:47:05 PM
mbam-log-2011-05-15 (14-47-05).txt
Scan type: Full scan (C:\|)
Objects scanned: 220033
Time elapsed: 58 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\program files\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\sonja casimel\local settings\application data\rdh.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{249021e4-16e6-45d3-ad1e-cf9a6e5dee4e}\RP139\A0057195.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{249021e4-16e6-45d3-ad1e-cf9a6e5dee4e}\RP162\A0062236.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
Then I ran ComboFix.
ComboFix Log :
ComboFix 11-05-15.03 - Sonja Casimel 15/05/2011 15:09:14.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2578 [GMT -4:00]
Running from: c:\combofix\ComboFix.exe
AV: F-Secure Anti-Virus Client Security 6.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Anti-Virus Client Security 6.01 *Disabled* {D4747503-0346-49EB-9262-997542F79BF4}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\shs_setup_4059-354328.exe
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\Sonja Casimel\WINDOWS
c:\windows\TEMP\IadHide5.dll
G:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
.
.
2011-05-13 02:14 . 2011-05-14 00:26 -------- d--h--w- c:\windows\msdownld.tmp
2011-05-13 02:12 . 2011-05-14 00:23 -------- d-----w- c:\program files\War Inc Battlezone
2011-05-07 22:46 . 2011-05-07 22:46 -------- d-----w- c:\documents and settings\Sonja Casimel\Local Settings\Application Data\Babylon
2011-05-07 22:46 . 2011-05-07 22:46 -------- d-----w- c:\documents and settings\Sonja Casimel\Application Data\Babylon
2011-05-07 22:46 . 2011-05-07 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2011-05-07 22:44 . 2011-05-07 22:44 -------- d-----w- c:\documents and settings\Sonja Casimel\Local Settings\Application Data\Media Get LLC
2011-05-07 22:44 . 2011-05-07 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Media Get LLC
2011-05-07 22:44 . 2011-05-07 22:44 -------- d-----w- c:\documents and settings\Sonja Casimel\Application Data\Media Get LLC
2011-05-07 22:44 . 2011-05-13 19:33 -------- d-----w- c:\documents and settings\Sonja Casimel\Local Settings\Application Data\MediaGet2
2011-05-06 02:07 . 2011-05-06 02:07 -------- d-----w- c:\program files\Common Files\Akamai
2011-05-02 21:11 . 2011-05-14 23:41 -------- d-----w- C:\Minecraftcrack
2011-05-01 23:25 . 2011-05-01 23:25 -------- d-----w- c:\documents and settings\Sonja Casimel\Application Data\.minecraft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-15 19:17 . 2010-09-11 21:45 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2011-05-15 19:17 . 2010-09-11 22:12 17488 ----a-w- c:\windows\gdrv.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 16:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
2010-10-18 16:26 3908192 ----a-w- c:\program files\PageRage\tbPage.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-10-14 17:56 194912 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPage.dll" [2010-10-18 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9565115D-C7D6-46D3-BD63-B67B481A4368}"= "c:\program files\PageRage\tbPage.dll" [2010-10-18 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-02-28 18:04 97064 ----a-w- d:\xp software\CD Creator\Nero\Nero8\InCD\NBHShx.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"MediaGet2"="c:\documents and settings\Sonja Casimel\Local Settings\Application Data\MediaGet2\mediaget.exe" [2011-05-11 5988072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-15 375000]
"RTHDCPL"="RTHDCPL.EXE" [2010-03-26 19522592]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-05-01 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-05-01 13672040]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-03-25 570664]
"fontnav"="d:\xp software\Writing\Corel\WPO-2000\Font Navigator\FontNav.exe" [1998-08-10 401408]
"F-Secure Manager"="d:\xp software\Utilities\F-Secure\Common\FSM32.EXE" [2005-10-26 122929]
"F-Secure TNB"="d:\xp software\Utilities\F-Secure\TNB\TNBUtil.exe" [2004-05-27 684032]
"NokiaInternetModem_AppStart.exe"="d:\nokia modem\NokiaInternetModem_AppStart.exe" [2010-05-06 140288]
"Adobe Reader Speed Launcher"="d:\xp software\Utilities\Adobe\Acrobat 9.1\Reader\Reader_sl.exe" [2009-02-27 35696]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-04-02 191488]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"CTStartup"="c:\program files\Creative\SBAudigy\Program\CTEaxSpl.EXE" [2001-06-04 28672]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"rfagent"="d:\common software\Downloaded Software\Utilities\Registry First Aid\Files\RF Aid DwnLd\RFA\rfagent.exe" [2005-04-23 329216]
"Rogers SHS"="c:\program files\Rogers\SelfHealing\shs.exe" [2010-06-03 2736128]
.
c:\documents and settings\Sonja Casimel\Start Menu\Programs\Startup\
GIGABYTE Gamer HUD Lite.lnk - c:\program files\Gigabyte\Gamer HUD Lite\HUD.exe [2010-4-30 1679872]
PowerReg Scheduler.exe [2010-9-20 189952]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
F-Secure Automatic Update.lnk - d:\xp software\Utilities\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2010-9-12 32807]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iM StartCenter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\iM StartCenter.lnk
backup=c:\windows\pss\iM StartCenter.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Sonja Casimel^Start Menu^Programs^Startup^Corel Registration.lnk]
path=c:\documents and settings\Sonja Casimel\Start Menu\Programs\Startup\Corel Registration.lnk
backup=c:\windows\pss\Corel Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2008-02-28 18:03 1083176 ----a-w- d:\xp software\CD Creator\Nero\Nero8\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-02-26 18:08 2289664 ------w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2008-02-28 18:04 2049320 ----a-w- d:\xp software\CD Creator\Nero\Nero8\InCD\NBHGui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-09-11 21:53 39408 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Taskbar]
2001-07-26 05:00 118784 ----a-w- c:\program files\Creative\SBAudigy\Taskbar\CTLTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskTray]
2001-06-29 05:00 163840 ----a-w- c:\program files\Creative\SBAudigy\Taskbar\CTLTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\XP Software\\Utilities\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [9/12/2010 4:32 PM 70896]
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [9/11/2010 3:34 PM 19496]
R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;d:\xpsoft~1\UTILIT~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [9/12/2010 4:32 PM 32807]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/15/2009 2:06 PM 223464]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [9/11/2010 3:31 PM 68136]
R2 F-Secure Filter;F-Secure File System Filter;d:\xp software\Utilities\F-Secure\Anti-Virus\win2k\FSfilter.sys [9/12/2010 5:31 PM 48816]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;d:\xp software\Utilities\F-Secure\Anti-Virus\win2k\fsgk.sys [9/12/2010 5:31 PM 48256]
R2 F-Secure Recognizer;F-Secure File System Recognizer;d:\xp software\Utilities\F-Secure\Anti-Virus\win2k\FSrec.sys [9/12/2010 5:31 PM 16720]
R2 NeroRegInCDSrv;Nero Registry InCD Service;d:\xp software\CD Creator\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2/28/2008 1:04 PM 53032]
R2 NProtectService;Norton Unerase Protection;d:\xp software\Utilities\Norton\Norton Utilities\NPROTECT.EXE [9/12/2010 2:40 PM 135168]
R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [6/3/2010 3:46 PM 139264]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [6/3/2010 3:46 PM 163840]
R3 AODDriver;AODDriver;c:\program files\Gigabyte\ET6\i386\AODDriver.sys [2/23/2009 12:16 AM 7168]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);c:\windows\system32\drivers\e10kx2k.sys [7/13/2001 8:29 AM 1745168]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [9/11/2010 3:34 PM 44032]
R3 nokia_cs1x_dc_enum;Nokia Internet Stick DC Enumerator;c:\windows\system32\drivers\nokia_cs1x_dc_enum.sys [4/22/2010 3:07 PM 81408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/11/2010 5:53 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/11/2010 3:34 PM 1691480]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 etdrv;etdrv;c:\windows\etdrv.sys [9/11/2010 7:47 PM 17488]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/11/2010 5:53 PM 135664]
S3 nokia_cs1x_cdc_acm;Nokia Internet Stick CDC-ACM driver;c:\windows\system32\drivers\nokia_cs1x_cdc_acm.sys [4/22/2010 3:07 PM 85888]
S3 nokia_cs1x_cdc_ecm;nokia_cs1x_cdc_ecm;c:\windows\system32\drivers\nokia_cs1x_cdc_ecm.sys [4/22/2010 3:07 PM 50304]
S3 nokia_cs1x_cpo;Nokia Internet Stick Mass Storage Device;c:\windows\system32\drivers\nokia_cs1x_cpo.sys [4/22/2010 3:07 PM 9856]
S3 QDFSDRV;QDFSDRV;c:\windows\system32\drivers\qdfsdrv.sys [9/12/2010 2:40 PM 13792]
SUnknown GVTDrv;GVTDrv; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 18:06 451872 ------w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-11 21:53]
.
2011-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-11 21:53]
.
2011-05-06 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Common Files\Symantec Shared\NMAIN.EXE [2010-09-12 03:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=iso
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-NBKeyScan - d:\xp software\CD Creator\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-15 15:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?? ????B???@?$?@?? C?????U?@?????????@?B???A???????A? ?????B???@?????P???$?@?? ??????~?B~??????????@???????????????????B?????,?????????????????????????????B
CTStartup = c:\program files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run????????????x??????s$????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&3?????\???0???0???\???\???????$???5?B~e?B~\???\????????Rb???????B~\???\??????s????\??????s\????&3?A??s?&3???B~???
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1264)
c:\windows\system32\WININET.dll
c:\docume~1\SONJAC~1\LOCALS~1\Temp\IadHide5.dll
d:\xp software\CD Creator\Nero\Nero8\InCD\NBHShx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
d:\xp software\CD Creator\Nero\Nero8\InCD\NBHStr.dll
c:\program files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
d:\common software\Downloaded Software\Utilities\Registry First Aid\Files\RF Aid DwnLd\RFA\AgentH.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\CTsvcCDA.EXE
d:\xp software\Utilities\F-Secure\Anti-Virus\fsgk32st.exe
d:\xp software\Utilities\F-Secure\Anti-Virus\FSGK32.EXE
d:\xp software\Utilities\F-Secure\BackWeb\7681197\program\fsbwsys.exe
d:\xp software\Utilities\F-Secure\Common\FSMA32.EXE
d:\xp software\Utilities\F-Secure\Common\FSMB32.EXE
d:\xp software\CD Creator\Nero\Nero8\InCD\InCDsrv.exe
d:\xp software\Utilities\F-Secure\Anti-Virus\fssm32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
d:\xp software\Utilities\F-Secure\Common\FCH32.EXE
d:\xpsoft~1\UTILIT~1\Norton\SPEEDD~1\nopdb.exe
d:\xp software\Utilities\F-Secure\Common\FAMEH32.EXE
d:\xp software\Utilities\F-Secure\Anti-Virus\fsqh.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
d:\xp software\Utilities\F-Secure\Anti-Virus\fsrw.exe
d:\xp software\Utilities\F-Secure\Common\FNRB32.EXE
d:\xp software\Utilities\F-Secure\FWES\Program\fsdfwd.exe
d:\xp software\Utilities\F-Secure\Common\FIH32.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Creative\ShareDLL\MediaDet.Exe
d:\xp software\Utilities\F-Secure\Anti-Virus\fsav32.exe
d:\xp software\Utilities\F-Secure\FSGUI\fsguidll.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
d:\xpsoft~1\UTILIT~1\F-Secure\ANTI-S~1\fsaw.exe
.
**************************************************************************
.
Completion time: 2011-05-15 15:38:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-15 19:33
.
Pre-Run: 28,049,444,864 bytes free
Post-Run: 28,408,942,592 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 3A0C8BE5D696834399A91ED0B768BB5B
I don't know what she has done to this machine but it is running very slowly, much slower than it originally was. Help appreciated.
Killbits Log :
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 15/05/2011 at 13:39:55.
Operating System: Microsoft Windows XP
Processes terminated by Rkill or while it was running:
C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe
D:\XPSOFT~1\UTILIT~1\Norton\SPEEDD~1\nopdb.exe
C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe
C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe
C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe
C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe
C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe
Rkill completed on 15/05/2011 at 13:40:01.
After that I was able to run Malwarebytes.
Malwarebytes Log :
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6585
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
15/05/2011 2:47:05 PM
mbam-log-2011-05-15 (14-47-05).txt
Scan type: Full scan (C:\|)
Objects scanned: 220033
Time elapsed: 58 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Sonja Casimel\Local Settings\Application Data\rdh.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\program files\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\sonja casimel\local settings\application data\rdh.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{249021e4-16e6-45d3-ad1e-cf9a6e5dee4e}\RP139\A0057195.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{249021e4-16e6-45d3-ad1e-cf9a6e5dee4e}\RP162\A0062236.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
Then I ran ComboFix.
ComboFix Log :
ComboFix 11-05-15.03 - Sonja Casimel 15/05/2011 15:09:14.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2578 [GMT -4:00]
Running from: c:\combofix\ComboFix.exe
AV: F-Secure Anti-Virus Client Security 6.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Anti-Virus Client Security 6.01 *Disabled* {D4747503-0346-49EB-9262-997542F79BF4}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\shs_setup_4059-354328.exe
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\Sonja Casimel\WINDOWS
c:\windows\TEMP\IadHide5.dll
G:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
.
.
2011-05-13 02:14 . 2011-05-14 00:26 -------- d--h--w- c:\windows\msdownld.tmp
2011-05-13 02:12 . 2011-05-14 00:23 -------- d-----w- c:\program files\War Inc Battlezone
2011-05-07 22:46 . 2011-05-07 22:46 -------- d-----w- c:\documents and settings\Sonja Casimel\Local Settings\Application Data\Babylon
2011-05-07 22:46 . 2011-05-07 22:46 -------- d-----w- c:\documents and settings\Sonja Casimel\Application Data\Babylon
2011-05-07 22:46 . 2011-05-07 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2011-05-07 22:44 . 2011-05-07 22:44 -------- d-----w- c:\documents and settings\Sonja Casimel\Local Settings\Application Data\Media Get LLC
2011-05-07 22:44 . 2011-05-07 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Media Get LLC
2011-05-07 22:44 . 2011-05-07 22:44 -------- d-----w- c:\documents and settings\Sonja Casimel\Application Data\Media Get LLC
2011-05-07 22:44 . 2011-05-13 19:33 -------- d-----w- c:\documents and settings\Sonja Casimel\Local Settings\Application Data\MediaGet2
2011-05-06 02:07 . 2011-05-06 02:07 -------- d-----w- c:\program files\Common Files\Akamai
2011-05-02 21:11 . 2011-05-14 23:41 -------- d-----w- C:\Minecraftcrack
2011-05-01 23:25 . 2011-05-01 23:25 -------- d-----w- c:\documents and settings\Sonja Casimel\Application Data\.minecraft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-15 19:17 . 2010-09-11 21:45 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2011-05-15 19:17 . 2010-09-11 22:12 17488 ----a-w- c:\windows\gdrv.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 16:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
2010-10-18 16:26 3908192 ----a-w- c:\program files\PageRage\tbPage.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-10-14 17:56 194912 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPage.dll" [2010-10-18 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9565115D-C7D6-46D3-BD63-B67B481A4368}"= "c:\program files\PageRage\tbPage.dll" [2010-10-18 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-02-28 18:04 97064 ----a-w- d:\xp software\CD Creator\Nero\Nero8\InCD\NBHShx.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"MediaGet2"="c:\documents and settings\Sonja Casimel\Local Settings\Application Data\MediaGet2\mediaget.exe" [2011-05-11 5988072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-15 375000]
"RTHDCPL"="RTHDCPL.EXE" [2010-03-26 19522592]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-05-01 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-05-01 13672040]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-03-25 570664]
"fontnav"="d:\xp software\Writing\Corel\WPO-2000\Font Navigator\FontNav.exe" [1998-08-10 401408]
"F-Secure Manager"="d:\xp software\Utilities\F-Secure\Common\FSM32.EXE" [2005-10-26 122929]
"F-Secure TNB"="d:\xp software\Utilities\F-Secure\TNB\TNBUtil.exe" [2004-05-27 684032]
"NokiaInternetModem_AppStart.exe"="d:\nokia modem\NokiaInternetModem_AppStart.exe" [2010-05-06 140288]
"Adobe Reader Speed Launcher"="d:\xp software\Utilities\Adobe\Acrobat 9.1\Reader\Reader_sl.exe" [2009-02-27 35696]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-04-02 191488]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"CTStartup"="c:\program files\Creative\SBAudigy\Program\CTEaxSpl.EXE" [2001-06-04 28672]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"rfagent"="d:\common software\Downloaded Software\Utilities\Registry First Aid\Files\RF Aid DwnLd\RFA\rfagent.exe" [2005-04-23 329216]
"Rogers SHS"="c:\program files\Rogers\SelfHealing\shs.exe" [2010-06-03 2736128]
.
c:\documents and settings\Sonja Casimel\Start Menu\Programs\Startup\
GIGABYTE Gamer HUD Lite.lnk - c:\program files\Gigabyte\Gamer HUD Lite\HUD.exe [2010-4-30 1679872]
PowerReg Scheduler.exe [2010-9-20 189952]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
F-Secure Automatic Update.lnk - d:\xp software\Utilities\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2010-9-12 32807]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iM StartCenter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\iM StartCenter.lnk
backup=c:\windows\pss\iM StartCenter.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Sonja Casimel^Start Menu^Programs^Startup^Corel Registration.lnk]
path=c:\documents and settings\Sonja Casimel\Start Menu\Programs\Startup\Corel Registration.lnk
backup=c:\windows\pss\Corel Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2008-02-28 18:03 1083176 ----a-w- d:\xp software\CD Creator\Nero\Nero8\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-02-26 18:08 2289664 ------w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2008-02-28 18:04 2049320 ----a-w- d:\xp software\CD Creator\Nero\Nero8\InCD\NBHGui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-09-11 21:53 39408 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Taskbar]
2001-07-26 05:00 118784 ----a-w- c:\program files\Creative\SBAudigy\Taskbar\CTLTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskTray]
2001-06-29 05:00 163840 ----a-w- c:\program files\Creative\SBAudigy\Taskbar\CTLTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\XP Software\\Utilities\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [9/12/2010 4:32 PM 70896]
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [9/11/2010 3:34 PM 19496]
R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;d:\xpsoft~1\UTILIT~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [9/12/2010 4:32 PM 32807]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/15/2009 2:06 PM 223464]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [9/11/2010 3:31 PM 68136]
R2 F-Secure Filter;F-Secure File System Filter;d:\xp software\Utilities\F-Secure\Anti-Virus\win2k\FSfilter.sys [9/12/2010 5:31 PM 48816]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;d:\xp software\Utilities\F-Secure\Anti-Virus\win2k\fsgk.sys [9/12/2010 5:31 PM 48256]
R2 F-Secure Recognizer;F-Secure File System Recognizer;d:\xp software\Utilities\F-Secure\Anti-Virus\win2k\FSrec.sys [9/12/2010 5:31 PM 16720]
R2 NeroRegInCDSrv;Nero Registry InCD Service;d:\xp software\CD Creator\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2/28/2008 1:04 PM 53032]
R2 NProtectService;Norton Unerase Protection;d:\xp software\Utilities\Norton\Norton Utilities\NPROTECT.EXE [9/12/2010 2:40 PM 135168]
R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [6/3/2010 3:46 PM 139264]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [6/3/2010 3:46 PM 163840]
R3 AODDriver;AODDriver;c:\program files\Gigabyte\ET6\i386\AODDriver.sys [2/23/2009 12:16 AM 7168]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);c:\windows\system32\drivers\e10kx2k.sys [7/13/2001 8:29 AM 1745168]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [9/11/2010 3:34 PM 44032]
R3 nokia_cs1x_dc_enum;Nokia Internet Stick DC Enumerator;c:\windows\system32\drivers\nokia_cs1x_dc_enum.sys [4/22/2010 3:07 PM 81408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/11/2010 5:53 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/11/2010 3:34 PM 1691480]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 etdrv;etdrv;c:\windows\etdrv.sys [9/11/2010 7:47 PM 17488]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/11/2010 5:53 PM 135664]
S3 nokia_cs1x_cdc_acm;Nokia Internet Stick CDC-ACM driver;c:\windows\system32\drivers\nokia_cs1x_cdc_acm.sys [4/22/2010 3:07 PM 85888]
S3 nokia_cs1x_cdc_ecm;nokia_cs1x_cdc_ecm;c:\windows\system32\drivers\nokia_cs1x_cdc_ecm.sys [4/22/2010 3:07 PM 50304]
S3 nokia_cs1x_cpo;Nokia Internet Stick Mass Storage Device;c:\windows\system32\drivers\nokia_cs1x_cpo.sys [4/22/2010 3:07 PM 9856]
S3 QDFSDRV;QDFSDRV;c:\windows\system32\drivers\qdfsdrv.sys [9/12/2010 2:40 PM 13792]
SUnknown GVTDrv;GVTDrv; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 18:06 451872 ------w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-11 21:53]
.
2011-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-11 21:53]
.
2011-05-06 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Common Files\Symantec Shared\NMAIN.EXE [2010-09-12 03:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=iso
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-NBKeyScan - d:\xp software\CD Creator\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-15 15:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?? ????B???@?$?@?? C?????U?@?????????@?B???A???????A? ?????B???@?????P???$?@?? ??????~?B~??????????@???????????????????B?????,?????????????????????????????B
CTStartup = c:\program files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run????????????x??????s$????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&3?????\???0???0???\???\???????$???5?B~e?B~\???\????????Rb???????B~\???\??????s????\??????s\????&3?A??s?&3???B~???
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1264)
c:\windows\system32\WININET.dll
c:\docume~1\SONJAC~1\LOCALS~1\Temp\IadHide5.dll
d:\xp software\CD Creator\Nero\Nero8\InCD\NBHShx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
d:\xp software\CD Creator\Nero\Nero8\InCD\NBHStr.dll
c:\program files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
d:\common software\Downloaded Software\Utilities\Registry First Aid\Files\RF Aid DwnLd\RFA\AgentH.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\CTsvcCDA.EXE
d:\xp software\Utilities\F-Secure\Anti-Virus\fsgk32st.exe
d:\xp software\Utilities\F-Secure\Anti-Virus\FSGK32.EXE
d:\xp software\Utilities\F-Secure\BackWeb\7681197\program\fsbwsys.exe
d:\xp software\Utilities\F-Secure\Common\FSMA32.EXE
d:\xp software\Utilities\F-Secure\Common\FSMB32.EXE
d:\xp software\CD Creator\Nero\Nero8\InCD\InCDsrv.exe
d:\xp software\Utilities\F-Secure\Anti-Virus\fssm32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
d:\xp software\Utilities\F-Secure\Common\FCH32.EXE
d:\xpsoft~1\UTILIT~1\Norton\SPEEDD~1\nopdb.exe
d:\xp software\Utilities\F-Secure\Common\FAMEH32.EXE
d:\xp software\Utilities\F-Secure\Anti-Virus\fsqh.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
d:\xp software\Utilities\F-Secure\Anti-Virus\fsrw.exe
d:\xp software\Utilities\F-Secure\Common\FNRB32.EXE
d:\xp software\Utilities\F-Secure\FWES\Program\fsdfwd.exe
d:\xp software\Utilities\F-Secure\Common\FIH32.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Creative\ShareDLL\MediaDet.Exe
d:\xp software\Utilities\F-Secure\Anti-Virus\fsav32.exe
d:\xp software\Utilities\F-Secure\FSGUI\fsguidll.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
d:\xpsoft~1\UTILIT~1\F-Secure\ANTI-S~1\fsaw.exe
.
**************************************************************************
.
Completion time: 2011-05-15 15:38:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-15 19:33
.
Pre-Run: 28,049,444,864 bytes free
Post-Run: 28,408,942,592 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 3A0C8BE5D696834399A91ED0B768BB5B
I don't know what she has done to this machine but it is running very slowly, much slower than it originally was. Help appreciated.
