Hi, i'm going thru the guide and it syays that smitfraud should be run from safe mode. I tried running it from safe mode but dont get past the disclaimer (nothing happens when i press a key). From regular mode it runs fine (it did find some infections and deleted some things). Is this fine or is something wrong which is stopping it from running? I can post the smitfraud log if it helps... Thanks
smitfraud fix / spyware removal guide
- Thread starter myr707
- Start date
- Status
I'm in middle of going thru your guide. Smitfraud picked up some issues and now malwarebytes picked up some more. It isn't normal for different programs to pick up different issues?
Seperate question. If i install avg when i'n done should i still keep windows defender running?
Seperate question. If i install avg when i'n done should i still keep windows defender running?
Ok here are the logs...
Just a side question is there any specific removal software for avg which i should use or just uninstall it regularly?
This is the combofix log I'm running xp sp3
ComboFix 09-02-12.03 - arrealty707 2009-02-14 19:29:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1945 [GMT -5:00]
Running from: g:\removal guide programs\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\FTPx.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\MabryObj.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.
2009-02-13 15:47 . 2009-02-13 15:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 15:47 . 2009-02-13 15:47 <DIR> d-------- c:\documents and settings\arrealty707\Application Data\Malwarebytes
2009-02-13 15:47 . 2009-02-13 15:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-13 15:47 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-13 15:47 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-13 15:28 . 2009-02-13 15:28 <DIR> d-------- C:\VundoFix Backups
2009-02-12 21:07 . 2009-02-12 21:07 <DIR> d-------- c:\program files\CCleaner
2009-02-12 21:03 . 2009-02-12 21:03 <DIR> d-------- c:\program files\CleanUp!
2009-02-12 20:59 . 2009-02-12 20:59 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-02-06 11:32 . 2009-02-06 11:32 <DIR> d-------- c:\windows\SYSTEM32\XPSViewer
2009-02-06 11:32 . 2009-02-06 11:32 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-06 11:32 . 2009-02-06 11:32 <DIR> d-------- c:\program files\MSBuild
2009-02-06 11:31 . 2009-02-06 11:31 <DIR> d-------- C:\d6c2eb631f48139c7eb9ef8bf33430
2009-02-06 11:31 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\xpssvcs.dll
2009-02-06 11:31 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\DLLCACHE\xpssvcs.dll
2009-02-06 11:31 . 2008-07-06 05:50 597,504 --------- c:\windows\SYSTEM32\DLLCACHE\printfilterpipelinesvc.exe
2009-02-06 11:31 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\xpsshhdr.dll
2009-02-06 11:31 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\DLLCACHE\xpsshhdr.dll
2009-02-06 11:31 . 2008-07-06 07:06 117,760 --------- c:\windows\SYSTEM32\prntvpt.dll
2009-02-06 11:31 . 2008-07-06 07:06 89,088 --------- c:\windows\SYSTEM32\DLLCACHE\filterpipelineprintproc.dll
2009-01-16 11:42 . 2009-01-16 11:42 <DIR> d-------- c:\program files\Illustrate
2009-01-16 11:42 . 2009-01-16 11:42 <DIR> d-------- c:\documents and settings\arrealty707\Application Data\AccurateRip
2009-01-16 11:42 . 2009-01-16 11:42 5,068,152 --a------ c:\windows\SYSTEM32\SpoonUninstall.exe
2009-01-15 22:17 . 2009-01-15 22:17 <DIR> d-------- c:\program files\Photodex Presenter
2009-01-15 22:17 . 2009-01-15 22:17 <DIR> d-------- c:\documents and settings\arrealty707\Application Data\Netscape
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 19:37 --------- d-----w c:\program files\Google
2009-02-13 02:21 --------- d-----w c:\program files\Trend Micro
2009-02-13 02:00 --------- d-----w c:\documents and settings\arrealty707\Application Data\DNA
2009-02-13 01:54 --------- d-----w c:\program files\DNA
2009-02-13 00:32 --------- d-----w c:\program files\Simple Remote
2009-02-13 00:26 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 00:26 --------- d-----w c:\program files\Dell
2009-02-06 16:23 --------- d-----w c:\documents and settings\arrealty707\Application Data\PowerHouse
2009-02-06 16:13 --------- d-----w c:\program files\ArcSoft
2009-02-06 13:57 --------- d-----w c:\documents and settings\arrealty707\Application Data\uTorrent
2009-01-30 19:03 --------- d-----w c:\documents and settings\arrealty707\Application Data\Apple Computer
2008-12-28 17:19 --------- d-----w c:\program files\USB Disk Win98 Driver
2008-12-28 15:57 --------- d-----w c:\program files\Java
2007-03-20 01:07 630,784 -c--a-w c:\documents and settings\arrealty707\GoToAssist_chat2way__317_en.exe
2006-04-06 00:46 557,056 -c--a-w c:\documents and settings\arrealty707\chatlnk.exe
2003-10-08 06:00 557,056 ----a-w c:\documents and settings\arrealty707\GoToAssist_phone__317_en.exe
2008-09-07 04:02 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NVIEW"="nview.dll" [2003-07-28 c:\windows\SYSTEM32\nview.dll]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-09-22 1398024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-15 113664]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sonic\\RecordNow!\\RecordNow.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\arrealty707\\Desktop\\Music\\utorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP
xpsp2res.dll,-22009
R1 EPPSCSIx;EPPSCSIx;c:\windows\SYSTEM32\DRIVERS\Eppscsi.sys [2004-08-31 47148]
R2 tmpreflt;tmpreflt;c:\windows\SYSTEM32\DRIVERS\tmpreflt.sys [2008-02-18 36368]
R3 JSWSCIMD;jswscimd Service;c:\windows\SYSTEM32\DRIVERS\jswscimd.sys [2008-02-12 57440]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\SYSTEM32\DRIVERS\TM_CFW.sys [2008-02-18 333328]
R3 WSIMD;wsimd Service;c:\windows\SYSTEM32\DRIVERS\wsimd.sys [2008-09-29 57408]
S1 FAMv4;FAMv4;c:\windows\system32\DRIVERS\FAMv4.sys --> c:\windows\system32\DRIVERS\FAMv4.sys [?]
S2 tmevtmgr;tmevtmgr;c:\windows\SYSTEM32\DRIVERS\tmevtmgr.sys [2008-10-28 52240]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\DNINDIS5.sys [2003-07-24 17149]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WNDA3100\jswpsapi.exe --> c:\program files\NETGEAR\WNDA3100\jswpsapi.exe [?]
S3 MSSQL$SIMPLEREMOTE;MSSQL$SIMPLEREMOTE;c:\program files\Microsoft SQL Server\MSSQL$SIMPLEREMOTE\Binn\sqlservr.exe -sSIMPLEREMOTE --> c:\program files\Microsoft SQL Server\MSSQL$SIMPLEREMOTE\Binn\sqlservr.exe -sSIMPLEREMOTE [?]
S3 SQLAgent$SIMPLEREMOTE;SQLAgent$SIMPLEREMOTE;c:\program files\Microsoft SQL Server\MSSQL$SIMPLEREMOTE\Binn\sqlagent.EXE -i SIMPLEREMOTE --> c:\program files\Microsoft SQL Server\MSSQL$SIMPLEREMOTE\Binn\sqlagent.EXE -i SIMPLEREMOTE [?]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\Internet Security\TmPfw.exe [2008-10-28 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-10-28 648456]
S3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\WNDA31.sys --> c:\windows\system32\DRIVERS\WNDA31.sys [?]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11a03849-3484-11dc-ae9c-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e254c52a-0d85-11dc-ae90-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2003-11-25 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 19:12]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 19:35:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-587377079-1252688431-2116273909-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\csifcsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\SYSTEM32\searchindexer.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-14 19:41:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-15 00:41:18
Pre-Run: 38,495,084,544 bytes free
Post-Run: 38,409,310,208 bytes free
187 --- E O F --- 2009-02-11 08:14:38
Just a side question is there any specific removal software for avg which i should use or just uninstall it regularly?
This is the combofix log I'm running xp sp3
ComboFix 09-02-12.03 - arrealty707 2009-02-14 19:29:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1945 [GMT -5:00]
Running from: g:\removal guide programs\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\FTPx.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\MabryObj.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.
2009-02-13 15:47 . 2009-02-13 15:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 15:47 . 2009-02-13 15:47 <DIR> d-------- c:\documents and settings\arrealty707\Application Data\Malwarebytes
2009-02-13 15:47 . 2009-02-13 15:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-13 15:47 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-13 15:47 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-13 15:28 . 2009-02-13 15:28 <DIR> d-------- C:\VundoFix Backups
2009-02-12 21:07 . 2009-02-12 21:07 <DIR> d-------- c:\program files\CCleaner
2009-02-12 21:03 . 2009-02-12 21:03 <DIR> d-------- c:\program files\CleanUp!
2009-02-12 20:59 . 2009-02-12 20:59 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-02-06 11:32 . 2009-02-06 11:32 <DIR> d-------- c:\windows\SYSTEM32\XPSViewer
2009-02-06 11:32 . 2009-02-06 11:32 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-06 11:32 . 2009-02-06 11:32 <DIR> d-------- c:\program files\MSBuild
2009-02-06 11:31 . 2009-02-06 11:31 <DIR> d-------- C:\d6c2eb631f48139c7eb9ef8bf33430
2009-02-06 11:31 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\xpssvcs.dll
2009-02-06 11:31 . 2008-07-06 07:06 1,676,288 --------- c:\windows\SYSTEM32\DLLCACHE\xpssvcs.dll
2009-02-06 11:31 . 2008-07-06 05:50 597,504 --------- c:\windows\SYSTEM32\DLLCACHE\printfilterpipelinesvc.exe
2009-02-06 11:31 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\xpsshhdr.dll
2009-02-06 11:31 . 2008-07-06 07:06 575,488 --------- c:\windows\SYSTEM32\DLLCACHE\xpsshhdr.dll
2009-02-06 11:31 . 2008-07-06 07:06 117,760 --------- c:\windows\SYSTEM32\prntvpt.dll
2009-02-06 11:31 . 2008-07-06 07:06 89,088 --------- c:\windows\SYSTEM32\DLLCACHE\filterpipelineprintproc.dll
2009-01-16 11:42 . 2009-01-16 11:42 <DIR> d-------- c:\program files\Illustrate
2009-01-16 11:42 . 2009-01-16 11:42 <DIR> d-------- c:\documents and settings\arrealty707\Application Data\AccurateRip
2009-01-16 11:42 . 2009-01-16 11:42 5,068,152 --a------ c:\windows\SYSTEM32\SpoonUninstall.exe
2009-01-15 22:17 . 2009-01-15 22:17 <DIR> d-------- c:\program files\Photodex Presenter
2009-01-15 22:17 . 2009-01-15 22:17 <DIR> d-------- c:\documents and settings\arrealty707\Application Data\Netscape
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 19:37 --------- d-----w c:\program files\Google
2009-02-13 02:21 --------- d-----w c:\program files\Trend Micro
2009-02-13 02:00 --------- d-----w c:\documents and settings\arrealty707\Application Data\DNA
2009-02-13 01:54 --------- d-----w c:\program files\DNA
2009-02-13 00:32 --------- d-----w c:\program files\Simple Remote
2009-02-13 00:26 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 00:26 --------- d-----w c:\program files\Dell
2009-02-06 16:23 --------- d-----w c:\documents and settings\arrealty707\Application Data\PowerHouse
2009-02-06 16:13 --------- d-----w c:\program files\ArcSoft
2009-02-06 13:57 --------- d-----w c:\documents and settings\arrealty707\Application Data\uTorrent
2009-01-30 19:03 --------- d-----w c:\documents and settings\arrealty707\Application Data\Apple Computer
2008-12-28 17:19 --------- d-----w c:\program files\USB Disk Win98 Driver
2008-12-28 15:57 --------- d-----w c:\program files\Java
2007-03-20 01:07 630,784 -c--a-w c:\documents and settings\arrealty707\GoToAssist_chat2way__317_en.exe
2006-04-06 00:46 557,056 -c--a-w c:\documents and settings\arrealty707\chatlnk.exe
2003-10-08 06:00 557,056 ----a-w c:\documents and settings\arrealty707\GoToAssist_phone__317_en.exe
2008-09-07 04:02 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NVIEW"="nview.dll" [2003-07-28 c:\windows\SYSTEM32\nview.dll]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-09-22 1398024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-15 113664]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sonic\\RecordNow!\\RecordNow.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\arrealty707\\Desktop\\Music\\utorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP
xpsp2res.dll,-22009R1 EPPSCSIx;EPPSCSIx;c:\windows\SYSTEM32\DRIVERS\Eppscsi.sys [2004-08-31 47148]
R2 tmpreflt;tmpreflt;c:\windows\SYSTEM32\DRIVERS\tmpreflt.sys [2008-02-18 36368]
R3 JSWSCIMD;jswscimd Service;c:\windows\SYSTEM32\DRIVERS\jswscimd.sys [2008-02-12 57440]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\SYSTEM32\DRIVERS\TM_CFW.sys [2008-02-18 333328]
R3 WSIMD;wsimd Service;c:\windows\SYSTEM32\DRIVERS\wsimd.sys [2008-09-29 57408]
S1 FAMv4;FAMv4;c:\windows\system32\DRIVERS\FAMv4.sys --> c:\windows\system32\DRIVERS\FAMv4.sys [?]
S2 tmevtmgr;tmevtmgr;c:\windows\SYSTEM32\DRIVERS\tmevtmgr.sys [2008-10-28 52240]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\DNINDIS5.sys [2003-07-24 17149]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WNDA3100\jswpsapi.exe --> c:\program files\NETGEAR\WNDA3100\jswpsapi.exe [?]
S3 MSSQL$SIMPLEREMOTE;MSSQL$SIMPLEREMOTE;c:\program files\Microsoft SQL Server\MSSQL$SIMPLEREMOTE\Binn\sqlservr.exe -sSIMPLEREMOTE --> c:\program files\Microsoft SQL Server\MSSQL$SIMPLEREMOTE\Binn\sqlservr.exe -sSIMPLEREMOTE [?]
S3 SQLAgent$SIMPLEREMOTE;SQLAgent$SIMPLEREMOTE;c:\program files\Microsoft SQL Server\MSSQL$SIMPLEREMOTE\Binn\sqlagent.EXE -i SIMPLEREMOTE --> c:\program files\Microsoft SQL Server\MSSQL$SIMPLEREMOTE\Binn\sqlagent.EXE -i SIMPLEREMOTE [?]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\Internet Security\TmPfw.exe [2008-10-28 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-10-28 648456]
S3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\WNDA31.sys --> c:\windows\system32\DRIVERS\WNDA31.sys [?]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11a03849-3484-11dc-ae9c-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e254c52a-0d85-11dc-ae90-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2003-11-25 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 19:12]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 19:35:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-587377079-1252688431-2116273909-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\csifcsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\SYSTEM32\searchindexer.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-14 19:41:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-15 00:41:18
Pre-Run: 38,495,084,544 bytes free
Post-Run: 38,409,310,208 bytes free
187 --- E O F --- 2009-02-11 08:14:38
This is the malwarebytes log
Malwarebytes' Anti-Malware 1.34
Database version: 1760
Windows 5.1.2600 Service Pack 3
2/14/2009 7:14:57 PM
mbam-log-2009-02-14 (19-14-57).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|G:\|)
Objects scanned: 234428
Time elapsed: 2 hour(s), 34 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.34
Database version: 1760
Windows 5.1.2600 Service Pack 3
2/14/2009 7:14:57 PM
mbam-log-2009-02-14 (19-14-57).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|G:\|)
Objects scanned: 234428
Time elapsed: 2 hour(s), 34 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
- Status