We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Combofix Log Assistance Please?
macman
Posts: 53,129 Forumite
in Techie Stuff
I started cleaning this PC before Christmas but friend only just got back to me with the Combofix log results. Had previous run MBAM and cleaned 4 infections OK, was then advised by alienRIK to run Combofix also.
Would be grateful if someone could take a look at the log and advise if anything else now remains. Thanks.
Combofix removed a program called 'RegGenie'.
ComboFix 10-02-05.04 - Philip Hamberger 06/02/2010 10:31:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.479 [GMT 0:00]
Running from: c:\documents and settings\Philip Hamberger\My Documents\Downloads\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\RegGenie
c:\program files\RegGenie\RegGenie.ini
c:\program files\RegGenie\unins000.exe
c:\windows\system32\tmp.reg
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_FAD
((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.
2010-02-03 13:46 . 2010-02-03 13:46
d
w- c:\documents and settings\Philip Hamberger\Application Data\Amazon
2010-02-03 13:44 . 2010-02-03 13:44
d
w- c:\program files\Amazon
2010-01-12 22:50 . 2009-11-21 15:51 471552
w- c:\windows\system32\dllcache\aclayers.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-06 10:45 . 2008-02-22 18:50
d
w- c:\documents and settings\All Users\Application Data\Kontiki
2010-02-06 10:40 . 2005-04-24 08:42
d
w- c:\program files\Common Files\Symantec Shared
2010-02-03 17:38 . 2009-02-07 13:06 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-03 11:28 . 2009-02-07 13:12 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-02-03 11:28 . 2009-02-07 13:12 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-30 12:00 . 2008-12-15 12:00
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-30 07:47 . 2008-08-17 08:41
d
w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-23 12:53 . 2008-12-14 14:30
d
w- c:\program files\Dl_cats
2010-01-21 17:35 . 2005-08-15 18:59
d
w- c:\documents and settings\All Users\Application Data\Aventail
2010-01-21 17:14 . 2008-03-30 14:19
d
w- c:\program files\Microsoft Silverlight
2010-01-16 09:45 . 2009-12-28 11:30
d
w- c:\documents and settings\Philip Hamberger\Application Data\GARMIN
2010-01-07 20:07 . 2005-07-01 15:53 77096 ----a-w- c:\documents and settings\Sandy Hamberger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-06 16:17 . 2005-04-30 14:57 77096 ----a-w- c:\documents and settings\Philip Hamberger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 10:00 . 2004-08-04 04:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-07-17 20:03 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 04:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-03 11:54 . 2005-04-30 15:16
d
w- c:\program files\Ubisoft
2009-12-28 13:16 . 2009-12-28 11:29
d
w- c:\program files\Garmin
2009-12-28 13:16 . 2009-12-28 13:16
d
w- c:\documents and settings\All Users\Application Data\GARMIN
2009-12-28 12:54 . 2009-12-28 11:35
d
w- c:\documents and settings\Philip Hamberger\Application Data\Download Manager
2009-12-28 11:29 . 2009-12-28 11:29
d
w- c:\program files\Garmin GPS Plugin
2009-12-28 11:29 . 2009-12-28 11:29
d
w- c:\program files\DIFX
2009-12-15 18:16 . 2008-03-02 09:33
d
w- c:\program files\Common Files\Wise Installation Wizard
2009-12-14 17:54 . 2008-02-22 18:50
d
w- c:\program files\Kontiki
2009-12-14 17:52 . 2008-12-06 15:55
d
w- c:\program files\DYMO Label
2009-12-13 14:50 . 2009-12-13 14:50 25214 ----a-r- c:\documents and settings\Philip Hamberger\Application Data\Microsoft\Installer\{D6D532B2-22E1-43AA-B4B7-34D772314859}\ARPPRODUCTICON.exe
2009-12-13 14:50 . 2008-03-12 20:51
d
w- c:\program files\Oxigen
2009-12-13 11:23 . 2009-12-13 11:23 60632 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-03 16:14 . 2009-12-04 13:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2009-12-04 13:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 10:42 . 2009-11-22 10:42 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-21 15:51 . 2004-08-04 04:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 15:46 . 2008-08-29 10:25 38208 ----a-w- c:\documents and settings\Philip Hamberger\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-20 15:04 . 2009-07-20 15:03 1564248 ----a-w- c:\program files\bbc_iplayer_desktop_v1211066.air
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2006-05-15 101136]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-01-25 1032376]
"West Ham United - Desktop News Alerts"="c:\program files\West Ham United - DNA\launch.exe" [2007-11-06 339968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-22 73728]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-08 16712]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-16 198160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-10 21:17 10792 ----a-w- c:\program files\Citrix\GoToAssist\482\g2awinlogon.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [18/02/2008 19:37 149352]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\SYSTEM32\ngvpnmgr.exe [20/09/2007 10:05 194627]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/08/2009 07:59 102448]
R3 NgLog;Aventail VPN Logging;c:\windows\SYSTEM32\DRIVERS\nglog.sys [20/09/2007 10:03 17920]
R3 NgVpn;Aventail VPN Adapter;c:\windows\SYSTEM32\DRIVERS\NgVpn.sys [20/09/2007 10:04 70144]
S2 gupdate1c9cb17c3eb5afc;Google Update Service (gupdate1c9cb17c3eb5afc);c:\program files\Google\Update\GoogleUpdate.exe [02/05/2009 11:18 133104]
S3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [13/01/2008 02:32 23888]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\SYSTEM32\DRIVERS\k600bus.sys [11/05/2005 12:12 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\SYSTEM32\DRIVERS\k600mdfl.sys [11/05/2005 12:12 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\SYSTEM32\DRIVERS\k600mdm.sys [11/05/2005 12:12 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\SYSTEM32\DRIVERS\k600mgmt.sys [11/05/2005 12:12 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\SYSTEM32\DRIVERS\k600obex.sys [11/05/2005 12:12 77072]
S3 NgFilter;Aventail VPN Filter;c:\windows\SYSTEM32\DRIVERS\ngfilter.sys [20/09/2007 10:04 15360]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 15:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2010-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 11:34]
2010-02-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2010-01-31 c:\windows\Tasks\Free Registry Fix.job
- c:\program files\Promosoft Corporation\Free Registry Fix\regfix.exe [2008-06-12 06:46]
2010-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-02 11:18]
2010-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-02 11:18]
2010-02-06 c:\windows\Tasks\User_Feed_Synchronization-{A389E26F-A090-4C09-B5B6-35AFD3AFDC87}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:36]
.
.
Supplementary Scan
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Philip Hamberger\Application Data\Mozilla\Firefox\Profiles\vuvkxvac.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.msn.com/
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
AddRemove-_{707EB912-C597-49D8-9460-46CC9AB03EBE} - c:\program files\Corel\Corel Painter Photo Essentials 4\MSILauncher {707EB912-C597-49D8-9460-46CC9AB03EBE}
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 10:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-759109387-63027088-3777999919-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(960)
c:\program files\Citrix\GoToAssist\482\G2AWinLogon.dll
- - - - - - - > 'explorer.exe'(2840)
c:\windows\system32\WININET.dll
c:\progra~1\VCOM\Fix-It\WinHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\program files\Windows Desktop Search\wds_slps.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\VCOM\Fix-It\mxtask.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\VCOM\Fix-It\mxtask.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\West Ham United - DNA\app.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\Oxigen.SCR
c:\program files\Windows Desktop Search\wds_sl.exe
.
**************************************************************************
.
Completion time: 2010-02-06 10:48:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-06 10:48
Pre-Run: 48,993,406,976 bytes free
Post-Run: 49,010,475,008 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 65203B88DCDF3FEBDDAFFCE0E48CB78A
Would be grateful if someone could take a look at the log and advise if anything else now remains. Thanks.
Combofix removed a program called 'RegGenie'.
ComboFix 10-02-05.04 - Philip Hamberger 06/02/2010 10:31:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.479 [GMT 0:00]
Running from: c:\documents and settings\Philip Hamberger\My Documents\Downloads\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\RegGenie
c:\program files\RegGenie\RegGenie.ini
c:\program files\RegGenie\unins000.exe
c:\windows\system32\tmp.reg
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_FAD
((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.
2010-02-03 13:46 . 2010-02-03 13:46
d
w- c:\documents and settings\Philip Hamberger\Application Data\Amazon
2010-02-03 13:44 . 2010-02-03 13:44
d
w- c:\program files\Amazon
2010-01-12 22:50 . 2009-11-21 15:51 471552
w- c:\windows\system32\dllcache\aclayers.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-06 10:45 . 2008-02-22 18:50
d
w- c:\documents and settings\All Users\Application Data\Kontiki
2010-02-06 10:40 . 2005-04-24 08:42
d
w- c:\program files\Common Files\Symantec Shared
2010-02-03 17:38 . 2009-02-07 13:06 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-03 11:28 . 2009-02-07 13:12 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-02-03 11:28 . 2009-02-07 13:12 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-30 12:00 . 2008-12-15 12:00
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-30 07:47 . 2008-08-17 08:41
d
w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-23 12:53 . 2008-12-14 14:30
d
w- c:\program files\Dl_cats
2010-01-21 17:35 . 2005-08-15 18:59
d
w- c:\documents and settings\All Users\Application Data\Aventail
2010-01-21 17:14 . 2008-03-30 14:19
d
w- c:\program files\Microsoft Silverlight
2010-01-16 09:45 . 2009-12-28 11:30
d
w- c:\documents and settings\Philip Hamberger\Application Data\GARMIN
2010-01-07 20:07 . 2005-07-01 15:53 77096 ----a-w- c:\documents and settings\Sandy Hamberger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-06 16:17 . 2005-04-30 14:57 77096 ----a-w- c:\documents and settings\Philip Hamberger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 10:00 . 2004-08-04 04:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-07-17 20:03 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 04:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-03 11:54 . 2005-04-30 15:16
d
w- c:\program files\Ubisoft
2009-12-28 13:16 . 2009-12-28 11:29
d
w- c:\program files\Garmin
2009-12-28 13:16 . 2009-12-28 13:16
d
w- c:\documents and settings\All Users\Application Data\GARMIN
2009-12-28 12:54 . 2009-12-28 11:35
d
w- c:\documents and settings\Philip Hamberger\Application Data\Download Manager
2009-12-28 11:29 . 2009-12-28 11:29
d
w- c:\program files\Garmin GPS Plugin
2009-12-28 11:29 . 2009-12-28 11:29
d
w- c:\program files\DIFX
2009-12-15 18:16 . 2008-03-02 09:33
d
w- c:\program files\Common Files\Wise Installation Wizard
2009-12-14 17:54 . 2008-02-22 18:50
d
w- c:\program files\Kontiki
2009-12-14 17:52 . 2008-12-06 15:55
d
w- c:\program files\DYMO Label
2009-12-13 14:50 . 2009-12-13 14:50 25214 ----a-r- c:\documents and settings\Philip Hamberger\Application Data\Microsoft\Installer\{D6D532B2-22E1-43AA-B4B7-34D772314859}\ARPPRODUCTICON.exe
2009-12-13 14:50 . 2008-03-12 20:51
d
w- c:\program files\Oxigen
2009-12-13 11:23 . 2009-12-13 11:23 60632 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-03 16:14 . 2009-12-04 13:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2009-12-04 13:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 10:42 . 2009-11-22 10:42 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-21 15:51 . 2004-08-04 04:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 15:46 . 2008-08-29 10:25 38208 ----a-w- c:\documents and settings\Philip Hamberger\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-20 15:04 . 2009-07-20 15:03 1564248 ----a-w- c:\program files\bbc_iplayer_desktop_v1211066.air
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2006-05-15 101136]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-01-25 1032376]
"West Ham United - Desktop News Alerts"="c:\program files\West Ham United - DNA\launch.exe" [2007-11-06 339968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-22 73728]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-08 16712]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-16 198160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-10 21:17 10792 ----a-w- c:\program files\Citrix\GoToAssist\482\g2awinlogon.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [18/02/2008 19:37 149352]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\SYSTEM32\ngvpnmgr.exe [20/09/2007 10:05 194627]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/08/2009 07:59 102448]
R3 NgLog;Aventail VPN Logging;c:\windows\SYSTEM32\DRIVERS\nglog.sys [20/09/2007 10:03 17920]
R3 NgVpn;Aventail VPN Adapter;c:\windows\SYSTEM32\DRIVERS\NgVpn.sys [20/09/2007 10:04 70144]
S2 gupdate1c9cb17c3eb5afc;Google Update Service (gupdate1c9cb17c3eb5afc);c:\program files\Google\Update\GoogleUpdate.exe [02/05/2009 11:18 133104]
S3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [13/01/2008 02:32 23888]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\SYSTEM32\DRIVERS\k600bus.sys [11/05/2005 12:12 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\SYSTEM32\DRIVERS\k600mdfl.sys [11/05/2005 12:12 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\SYSTEM32\DRIVERS\k600mdm.sys [11/05/2005 12:12 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\SYSTEM32\DRIVERS\k600mgmt.sys [11/05/2005 12:12 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\SYSTEM32\DRIVERS\k600obex.sys [11/05/2005 12:12 77072]
S3 NgFilter;Aventail VPN Filter;c:\windows\SYSTEM32\DRIVERS\ngfilter.sys [20/09/2007 10:04 15360]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 15:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2010-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 11:34]
2010-02-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2010-01-31 c:\windows\Tasks\Free Registry Fix.job
- c:\program files\Promosoft Corporation\Free Registry Fix\regfix.exe [2008-06-12 06:46]
2010-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-02 11:18]
2010-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-02 11:18]
2010-02-06 c:\windows\Tasks\User_Feed_Synchronization-{A389E26F-A090-4C09-B5B6-35AFD3AFDC87}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:36]
.
.
Supplementary Scan
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Philip Hamberger\Application Data\Mozilla\Firefox\Profiles\vuvkxvac.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.msn.com/
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
AddRemove-_{707EB912-C597-49D8-9460-46CC9AB03EBE} - c:\program files\Corel\Corel Painter Photo Essentials 4\MSILauncher {707EB912-C597-49D8-9460-46CC9AB03EBE}
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 10:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-759109387-63027088-3777999919-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(960)
c:\program files\Citrix\GoToAssist\482\G2AWinLogon.dll
- - - - - - - > 'explorer.exe'(2840)
c:\windows\system32\WININET.dll
c:\progra~1\VCOM\Fix-It\WinHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\program files\Windows Desktop Search\wds_slps.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\VCOM\Fix-It\mxtask.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\VCOM\Fix-It\mxtask.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\West Ham United - DNA\app.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\Oxigen.SCR
c:\program files\Windows Desktop Search\wds_sl.exe
.
**************************************************************************
.
Completion time: 2010-02-06 10:48:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-06 10:48
Pre-Run: 48,993,406,976 bytes free
Post-Run: 49,010,475,008 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 65203B88DCDF3FEBDDAFFCE0E48CB78A
No free lunch, and no free laptop 
0
Comments
-
Shameless bump....No free lunch, and no free laptop0
-
Looks fine to me mate:idea:0
-
Looks fine to me mate
Cheeers RIK, just done another full MBAM scan and that's clean too.
Any idea what the RegGenie program was?
Do I need to do a further HJT scan now (or anything else?)
I notice that he's still got Limewire on there-I warned him that that is probably where the problem originated.No free lunch, and no free laptop0 -
Hi mac
RegGenie is supposed to be a registry cleaner but is unsafe according to WOT...
http://www.mywot.com/en/scorecard/reggenie.com0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.1K Reduce Debt & Boost Income
- 455K Spending & Discounts
- 246.6K Work, Benefits & Business
- 602.9K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards