Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help with Zhelatin and possibly Varicela-1 issues

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby jmw3 » January 1st, 2010, 6:31 am

Hi
Thank you very much for your assistance...and HAPPY NEW YEAR!!
No problem & also to you :)

Let me know if you do not want the Spydoctor results. Is Spy Doctor good software?
Yes... if you have a log I would like to see it. That Application.NmrCmd could be related to the tools we are using to get you clean, but I'd like to see the log to make sure. As for Spy Doctor... to be honest I don't know that much about it as I have never used it. For free programs, personally I don't think Malwarebytes' Anti-Malware can't be beaten, though that is a personal opinion.

Also, my Trend Micro PC Cillin' is expiring in a few days now. Should I renew? Or is it wiser to use AVG, Kaspersky, Norton etc...

I have not yet turned on my Trend Micro Pc Cillin again...out of fear it was infected previously by the worm. Should I uninstall it and reinstall?
Trend is not bad. I used to have it but found it to be a bit of a resource hog. When we finish I can make some recommendations for new security software. If you want to uninstall & reinstall Trend feel free to do so.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000000
DDS::
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
Trusted Zone: dellfix.com\pccheckup 

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 17.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 17. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the Download button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel
Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
Pictured tutorial if required.

To post in next reply:
SpyDoctor log (if you still have them)
ComboFix log
Kaspersky Scan log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby gridironguru » January 1st, 2010, 4:28 pm

I went to notepad and copy and pasted :
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000000
DDS::
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
Trusted Zone: dellfix.com\pccheckup

As you requested...and saved as CFScript.txt

No Icon was created so I went to the Start menu, looked up notepad, opened it up and found CFScript.txt
I created a Shortcut and it was automatically named "Shortcut to CFScript.txt" or something close to that name. I checked and it had the same information I pasted into CFScript.txt.

Then I dropped it into ComboFix as illustrated in your post. It was running, I left the room and when I returned several minutes later I had a response telling me that the information was not named the same and gave me the option to click "OK" and I did.
I'm not sure if the program ended or continued...but the icon for ComboFix is no longer on my desktop.
How can I tell if it was run successfully?
IF not, what should I do next?
gridironguru
Regular Member
 
Posts: 41
Joined: December 20th, 2009, 1:46 am

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby jmw3 » January 1st, 2010, 7:12 pm

Hi

Let's try again.

CFScript
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000000
DDS::
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
Trusted Zone: dellfix.com\pccheckup 

Save this as CFScript.txt, & save it to your Desktop. Ensure the CFScript is saved to the desktop. It will not work if you drag a shortcut to the script into ComboFix.

Image

Refering to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you have success then continue with the instructions regarding updating Java & running the Kaspersky Scan.

To post in next reply:
SpyDoctor log (if you still have them)
ComboFix log
Kaspersky Scan log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby gridironguru » January 1st, 2010, 9:14 pm

It seemed to work here is the ComboFix log:
ComboFix 09-12-31.A1 - Evan Pennet 01/01/2010 16:37:50.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.312 [GMT -8:00]
Running from: c:\documents and settings\Evan Pennet\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Evan Pennet\Desktop\CFScript.lnk
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\EVANPE~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Evan Pennet\Local Settings\temp\IadHide5.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-02 to 2010-01-02 )))))))))))))))))))))))))))))))
.

2010-01-01 21:25 . 2006-11-10 00:04 73288 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-01 21:24 . 2010-01-01 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2010-01-01 01:54 . 2010-01-01 01:54 0 ----a-w- c:\documents and settings\Evan Pennet\settings.dat
2009-12-26 11:20 . 2009-12-26 11:20 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-26 10:35 . 2009-12-26 10:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2009-12-26 10:33 . 2009-12-26 10:33 -------- d-----w- c:\documents and settings\Evan Pennet\Local Settings\Application Data\Threat Expert
2009-12-26 10:32 . 2009-12-26 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-12-26 10:32 . 2009-12-26 10:32 -------- d-----w- c:\documents and settings\Evan Pennet\Application Data\PC Tools
2009-12-20 20:57 . 2009-12-20 20:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-20 06:34 . 2009-12-20 06:34 -------- d-----w- c:\documents and settings\Evan Pennet\Application Data\Malwarebytes
2009-12-20 06:34 . 2009-12-20 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-20 06:34 . 2009-12-26 10:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 00:50 . 2009-11-10 18:26 767952 ----a-w- c:\windows\BDTSupport(2)(2).dll
2009-12-14 01:52 . 2009-12-26 10:35 -------- d-sh--w- c:\documents and settings\LocalService\UserData
2009-12-14 01:47 . 2009-12-26 10:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\BLINGO
2009-12-13 04:41 . 2009-11-10 18:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-13 04:41 . 2009-11-10 18:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-13 04:41 . 2008-11-26 20:08 131 ----a-w- c:\windows\IDB.zip
2009-12-13 04:41 . 2009-10-28 09:36 1152444 ----a-w- c:\windows\UDB.zip
2009-12-13 04:41 . 2009-11-10 18:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-13 04:41 . 2009-11-10 18:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-13 04:33 . 2009-10-30 19:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-13 04:32 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-13 04:32 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-13 04:32 . 2009-09-03 17:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-13 04:32 . 2009-12-26 10:32 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-13 04:31 . 2010-01-02 00:47 -------- d-----w- c:\program files\Spyware Doctor
2009-12-13 02:31 . 2009-12-13 02:31 -------- d-----w- c:\program files\Enigma Software Group
2009-12-13 01:34 . 2009-12-14 16:27 -------- d-----w- c:\program files\Antivirus Live Platinum
2009-12-13 01:34 . 2009-12-13 01:36 -------- d-----w- C:\avlog

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-02 00:50 . 2007-02-17 22:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-01 23:11 . 2007-01-10 07:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-01 20:53 . 2009-08-04 05:50 -------- d-----w- c:\program files\Draft Guru Version 1
2009-12-26 10:30 . 2007-06-11 07:04 -------- d-----w- c:\documents and settings\Evan Pennet\Application Data\Move Networks
2009-12-26 07:50 . 2007-07-22 19:03 -------- d-----w- c:\documents and settings\Evan Pennet\Application Data\blingo
2009-12-21 21:14 . 2006-12-29 19:17 -------- d-----w- c:\program files\Trend Micro
2009-12-05 22:04 . 2009-09-21 21:05 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-11-30 17:41 . 2009-11-30 17:41 33558 ----a-w- c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\Firefox_Toolbar_Uninstaller.exe
2009-11-20 07:54 . 2006-12-29 19:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-19 03:32 . 2007-01-10 07:43 -------- d-----w- c:\program files\Picasa2
2009-11-08 07:00 . 2009-10-05 04:19 127325 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\uninstall.exe
2009-11-08 07:00 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-08 07:00 . 2009-11-08 07:00 1408800 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-10-29 07:46 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-08-16 10:18 233472 ----a-w- c:\windows\system32\webcheck(5).dll
2009-10-29 07:46 . 2005-08-16 10:18 1168384 ----a-w- c:\windows\system32\urlmon(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 105984 ----a-w- c:\windows\system32\url(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 102912 ----a-w- c:\windows\system32\occache(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 477696 ----a-w- c:\windows\system32\mshtmled(4).dll
2009-10-29 07:46 . 2006-10-17 19:57 268288 ----a-w- c:\windows\system32\iertutil(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-29 07:46 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol(2).dll
2009-10-29 07:46 . 2005-08-16 10:18 124928 ----a-w- c:\windows\system32\advpack(6).dll
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-17 21:04 . 2009-07-04 21:05 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley(4).dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls(2)(3).dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap(2)(3).dll
2009-10-05 04:19 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-05 04:19 . 2009-10-05 04:19 1407680 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2001-09-29 02:00 . 2007-01-17 23:34 164864 ----a-w- c:\program files\UNWISE.EXE
2007-01-10 07:55 . 2007-01-10 07:55 156672 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-06-22 01:38 . 2007-06-22 01:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-22 01:38 . 2007-06-22 01:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-22 01:38 . 2007-06-22 01:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-22 01:38 . 2007-06-22 01:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-22 01:39 . 2007-06-22 01:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-22 01:39 . 2007-06-22 01:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-22 01:39 . 2007-06-22 01:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-22 01:39 . 2007-06-22 01:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-22 01:40 . 2007-06-22 01:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 68856]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-05 321040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-23 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-10 241152]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-04 267048]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-06 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-29 24576]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-2-20 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/21/2009 2:05 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/12/2009 8:32 PM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [12/12/2009 8:41 PM 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 1:34 PM 1028432]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/12/2009 8:32 PM 359624]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/18/2006 1:50 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/29/2006 12:54 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/11/2006 3:11 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/29/2006 12:55 PM 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/29/2006 12:54 PM 280392]
S2 gupdate1ca2f15164a83a2;Google Update Service (gupdate1ca2f15164a83a2);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2009 9:11 AM 133104]
S3 Gcr432;Gcr432;c:\windows\system32\drivers\gcr432.sys [10/4/2001 4:18 PM 53701]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder

2009-12-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:04]

2010-01-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-10 05:41]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-06 17:10]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-06 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: dellfix.com\pccheckup
FF - ProfilePath - c:\documents and settings\Evan Pennet\Application Data\Mozilla\Firefox\Profiles\txrmgahl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-01 16:51
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1448)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1204)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\docume~1\EVANPE~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-01-01 17:03:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-02 01:03
ComboFix2.txt 2010-01-01 00:17

Pre-Run: 51,742,498,816 bytes free
Post-Run: 51,728,408,576 bytes free

- - End Of File - - 98DFAFDFA117DD9C774C6A31888FE96C

I'll edit to add the other log once I've run the scan
gridironguru
Regular Member
 
Posts: 41
Joined: December 20th, 2009, 1:46 am

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby jmw3 » January 1st, 2010, 9:36 pm

Hi
It seemed to work
Well actually it doesn't appear to have worked. The entriesthat were supposed to be removed by the CFScript are still there.
I also note the CFScript was saved as CFScript.lnk
Command switches used :: c:\documents and settings\Evan Pennet\Desktop\CFScript.lnk
The CFScript must be saved as a .txt file. Can you try it again ensuring it is saved as CFScript.txt. Save the file to your Desktop,then drag & drop it on top of ComboFix.exe.
Post the log when done.
Cheers
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby gridironguru » January 1st, 2010, 10:37 pm

Here is the newest scan...I believe it worked:
.
((((((((((((((((((((((((( Files Created from 2009-12-02 to 2010-01-02 )))))))))))))))))))))))))))))))
.

2010-01-01 21:25 . 2006-11-10 00:04 73288 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-01 21:24 . 2010-01-01 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2010-01-01 01:54 . 2010-01-01 01:54 0 ----a-w- c:\documents and settings\Evan Pennet\settings.dat
2009-12-26 11:20 . 2009-12-26 11:20 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-26 10:35 . 2009-12-26 10:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2009-12-26 10:33 . 2009-12-26 10:33 -------- d-----w- c:\documents and settings\Evan Pennet\Local Settings\Application Data\Threat Expert
2009-12-26 10:32 . 2009-12-26 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-12-26 10:32 . 2009-12-26 10:32 -------- d-----w- c:\documents and settings\Evan Pennet\Application Data\PC Tools
2009-12-20 20:57 . 2009-12-20 20:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-20 06:34 . 2009-12-20 06:34 -------- d-----w- c:\documents and settings\Evan Pennet\Application Data\Malwarebytes
2009-12-20 06:34 . 2009-12-20 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-20 06:34 . 2009-12-26 10:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 00:50 . 2009-11-10 18:26 767952 ----a-w- c:\windows\BDTSupport(2)(2).dll
2009-12-14 01:52 . 2009-12-26 10:35 -------- d-sh--w- c:\documents and settings\LocalService\UserData
2009-12-14 01:47 . 2009-12-26 10:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\BLINGO
2009-12-13 04:41 . 2009-11-10 18:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-13 04:41 . 2009-11-10 18:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-13 04:41 . 2008-11-26 20:08 131 ----a-w- c:\windows\IDB.zip
2009-12-13 04:41 . 2009-10-28 09:36 1152444 ----a-w- c:\windows\UDB.zip
2009-12-13 04:41 . 2009-11-10 18:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-13 04:41 . 2009-11-10 18:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-13 04:33 . 2009-10-30 19:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-13 04:32 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-13 04:32 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-13 04:32 . 2009-09-03 17:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-13 04:32 . 2009-12-26 10:32 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-13 04:31 . 2010-01-02 02:14 -------- d-----w- c:\program files\Spyware Doctor
2009-12-13 02:31 . 2009-12-13 02:31 -------- d-----w- c:\program files\Enigma Software Group
2009-12-13 01:34 . 2009-12-14 16:27 -------- d-----w- c:\program files\Antivirus Live Platinum
2009-12-13 01:34 . 2009-12-13 01:36 -------- d-----w- C:\avlog

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-02 02:19 . 2007-02-17 22:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-02 02:11 . 2006-12-29 19:27 -------- d-----w- c:\program files\BAE
2010-01-02 01:36 . 2007-01-17 23:38 -------- d-----w- c:\program files\Common Files\Impact
2010-01-02 01:36 . 2009-08-04 05:50 -------- d-----w- c:\program files\Draft Guru Version 1
2010-01-02 01:35 . 2006-12-29 19:25 -------- d-----w- c:\program files\Common Files\AOL
2010-01-02 01:35 . 2006-12-29 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-01-02 01:32 . 2007-01-17 23:36 -------- d-----w- c:\program files\PGI
2010-01-02 01:30 . 2006-12-29 19:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-01 23:11 . 2007-01-10 07:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-26 10:30 . 2007-06-11 07:04 -------- d-----w- c:\documents and settings\Evan Pennet\Application Data\Move Networks
2009-12-26 07:50 . 2007-07-22 19:03 -------- d-----w- c:\documents and settings\Evan Pennet\Application Data\blingo
2009-12-21 21:14 . 2006-12-29 19:17 -------- d-----w- c:\program files\Trend Micro
2009-12-05 22:04 . 2009-09-21 21:05 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-11-30 17:41 . 2009-11-30 17:41 33558 ----a-w- c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\Firefox_Toolbar_Uninstaller.exe
2009-11-20 07:54 . 2006-12-29 19:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-19 03:32 . 2007-01-10 07:43 -------- d-----w- c:\program files\Picasa2
2009-11-08 07:00 . 2009-10-05 04:19 127325 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\uninstall.exe
2009-11-08 07:00 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-08 07:00 . 2009-11-08 07:00 1408800 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-10-29 07:46 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-08-16 10:18 233472 ----a-w- c:\windows\system32\webcheck(5).dll
2009-10-29 07:46 . 2005-08-16 10:18 1168384 ----a-w- c:\windows\system32\urlmon(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 105984 ----a-w- c:\windows\system32\url(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 102912 ----a-w- c:\windows\system32\occache(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 477696 ----a-w- c:\windows\system32\mshtmled(4).dll
2009-10-29 07:46 . 2006-10-17 19:57 268288 ----a-w- c:\windows\system32\iertutil(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-29 07:46 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol(2).dll
2009-10-29 07:46 . 2005-08-16 10:18 124928 ----a-w- c:\windows\system32\advpack(6).dll
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-17 21:04 . 2009-07-04 21:05 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley(4).dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls(2)(3).dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap(2)(3).dll
2009-10-05 04:19 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-05 04:19 . 2009-10-05 04:19 1407680 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2001-09-29 02:00 . 2007-01-17 23:34 164864 ----a-w- c:\program files\UNWISE.EXE
2007-01-10 07:55 . 2007-01-10 07:55 156672 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-06-22 01:38 . 2007-06-22 01:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-22 01:38 . 2007-06-22 01:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-22 01:38 . 2007-06-22 01:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-22 01:38 . 2007-06-22 01:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-22 01:39 . 2007-06-22 01:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-22 01:39 . 2007-06-22 01:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-22 01:39 . 2007-06-22 01:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-22 01:39 . 2007-06-22 01:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-22 01:40 . 2007-06-22 01:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 68856]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-05 321040]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-23 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-10 241152]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-04 267048]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-06 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-29 24576]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-2-20 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/21/2009 2:05 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/12/2009 8:32 PM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [12/12/2009 8:41 PM 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 1:34 PM 1028432]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/12/2009 8:32 PM 359624]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/18/2006 1:50 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/29/2006 12:54 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/11/2006 3:11 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/29/2006 12:55 PM 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/29/2006 12:54 PM 280392]
S2 gupdate1ca2f15164a83a2;Google Update Service (gupdate1ca2f15164a83a2);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2009 9:11 AM 133104]
S3 Gcr432;Gcr432;c:\windows\system32\drivers\gcr432.sys [10/4/2001 4:18 PM 53701]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder

2009-12-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:04]

2010-01-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-10 05:41]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-06 17:10]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-06 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Evan Pennet\Application Data\Mozilla\Firefox\Profiles\txrmgahl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-01 18:18
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1440)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2760)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\program files\real\realplayer\RealPlay.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-01-01 18:30:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-02 02:30
ComboFix2.txt 2010-01-02 01:03
ComboFix3.txt 2010-01-01 00:17

Pre-Run: 52,065,763,328 bytes free
Post-Run: 52,017,770,496 bytes free

- - End Of File - - E1B9DF4ECA92B828BECFA84271AEC477
gridironguru
Regular Member
 
Posts: 41
Joined: December 20th, 2009, 1:46 am

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby jmw3 » January 2nd, 2010, 12:33 am

Hi

I need to see the header of that log. The current ComboFix log can be found at C:\ComboFix.txt. Could post it again ensuring you post the entire log.

Thanks
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby gridironguru » January 2nd, 2010, 1:14 am

ComboFix 09-12-31.A1 - Evan Pennet 01/01/2010 18:05:41.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.566 [GMT -8:00]
Running from: c:\documents and settings\Evan Pennet\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Evan Pennet\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\EVANPE~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Evan Pennet\Local Settings\temp\IadHide5.dll
c:\program files\bae\BAE.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-02 to 2010-01-02 )))))))))))))))))))))))))))))))
.

2010-01-01 21:25 . 2006-11-10 00:04 73288 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-01 21:24 . 2010-01-01 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2010-01-01 01:54 . 2010-01-01 01:54 0 ----a-w- c:\documents and settings\Evan Pennet\settings.dat
2009-12-26 11:20 . 2009-12-26 11:20 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-26 10:35 . 2009-12-26 10:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2009-12-26 10:33 . 2009-12-26 10:33 -------- d-----w- c:\documents and settings\Evan Pennet\Local Settings\Application Data\Threat Expert
2009-12-26 10:32 . 2009-12-26 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-12-26 10:32 . 2009-12-26 10:32 -------- d-----w- c:\documents and settings\Evan Pennet\Application Data\PC Tools
2009-12-20 20:57 . 2009-12-20 20:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-20 06:34 . 2009-12-20 06:34 -------- d-----w- c:\documents and settings\Evan Pennet\Application Data\Malwarebytes
2009-12-20 06:34 . 2009-12-20 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-20 06:34 . 2009-12-26 10:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 00:50 . 2009-11-10 18:26 767952 ----a-w- c:\windows\BDTSupport(2)(2).dll
2009-12-14 01:52 . 2009-12-26 10:35 -------- d-sh--w- c:\documents and settings\LocalService\UserData
2009-12-14 01:47 . 2009-12-26 10:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\BLINGO
2009-12-13 04:41 . 2009-11-10 18:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-13 04:41 . 2009-11-10 18:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-13 04:41 . 2008-11-26 20:08 131 ----a-w- c:\windows\IDB.zip
2009-12-13 04:41 . 2009-10-28 09:36 1152444 ----a-w- c:\windows\UDB.zip
2009-12-13 04:41 . 2009-11-10 18:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-13 04:41 . 2009-11-10 18:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-13 04:33 . 2009-10-30 19:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-13 04:32 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-13 04:32 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-13 04:32 . 2009-09-03 17:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-13 04:32 . 2009-12-26 10:32 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-13 04:31 . 2010-01-02 02:14 -------- d-----w- c:\program files\Spyware Doctor
2009-12-13 02:31 . 2009-12-13 02:31 -------- d-----w- c:\program files\Enigma Software Group
2009-12-13 01:34 . 2009-12-14 16:27 -------- d-----w- c:\program files\Antivirus Live Platinum
2009-12-13 01:34 . 2009-12-13 01:36 -------- d-----w- C:\avlog

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-02 02:19 . 2007-02-17 22:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-02 02:11 . 2006-12-29 19:27 -------- d-----w- c:\program files\BAE
2010-01-02 01:36 . 2007-01-17 23:38 -------- d-----w- c:\program files\Common Files\Impact
2010-01-02 01:36 . 2009-08-04 05:50 -------- d-----w- c:\program files\Draft Guru Version 1
2010-01-02 01:35 . 2006-12-29 19:25 -------- d-----w- c:\program files\Common Files\AOL
2010-01-02 01:35 . 2006-12-29 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-01-02 01:32 . 2007-01-17 23:36 -------- d-----w- c:\program files\PGI
2010-01-02 01:30 . 2006-12-29 19:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-01 23:11 . 2007-01-10 07:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-26 10:30 . 2007-06-11 07:04 -------- d-----w- c:\documents and settings\Evan Pennet\Application Data\Move Networks
2009-12-26 07:50 . 2007-07-22 19:03 -------- d-----w- c:\documents and settings\Evan Pennet\Application Data\blingo
2009-12-21 21:14 . 2006-12-29 19:17 -------- d-----w- c:\program files\Trend Micro
2009-12-05 22:04 . 2009-09-21 21:05 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-11-30 17:41 . 2009-11-30 17:41 33558 ----a-w- c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\Firefox_Toolbar_Uninstaller.exe
2009-11-20 07:54 . 2006-12-29 19:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-19 03:32 . 2007-01-10 07:43 -------- d-----w- c:\program files\Picasa2
2009-11-08 07:00 . 2009-10-05 04:19 127325 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\uninstall.exe
2009-11-08 07:00 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-08 07:00 . 2009-11-08 07:00 1408800 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-10-29 07:46 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-08-16 10:18 233472 ----a-w- c:\windows\system32\webcheck(5).dll
2009-10-29 07:46 . 2005-08-16 10:18 1168384 ----a-w- c:\windows\system32\urlmon(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 105984 ----a-w- c:\windows\system32\url(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 102912 ----a-w- c:\windows\system32\occache(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 477696 ----a-w- c:\windows\system32\mshtmled(4).dll
2009-10-29 07:46 . 2006-10-17 19:57 268288 ----a-w- c:\windows\system32\iertutil(2)(3).dll
2009-10-29 07:46 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-29 07:46 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol(2).dll
2009-10-29 07:46 . 2005-08-16 10:18 124928 ----a-w- c:\windows\system32\advpack(6).dll
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-17 21:04 . 2009-07-04 21:05 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley(4).dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls(2)(3).dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap(2)(3).dll
2009-10-05 04:19 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-05 04:19 . 2009-10-05 04:19 1407680 ----a-w- c:\documents and settings\Evan Pennet\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2001-09-29 02:00 . 2007-01-17 23:34 164864 ----a-w- c:\program files\UNWISE.EXE
2007-01-10 07:55 . 2007-01-10 07:55 156672 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-06-22 01:38 . 2007-06-22 01:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-22 01:38 . 2007-06-22 01:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-22 01:38 . 2007-06-22 01:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-22 01:38 . 2007-06-22 01:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-22 01:39 . 2007-06-22 01:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-22 01:39 . 2007-06-22 01:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-22 01:39 . 2007-06-22 01:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-22 01:39 . 2007-06-22 01:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-22 01:40 . 2007-06-22 01:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 68856]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-05 321040]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-23 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-10 241152]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-04 267048]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-06 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-29 24576]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-2-20 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/21/2009 2:05 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/12/2009 8:32 PM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [12/12/2009 8:41 PM 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 1:34 PM 1028432]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/12/2009 8:32 PM 359624]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/18/2006 1:50 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/29/2006 12:54 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/11/2006 3:11 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/29/2006 12:55 PM 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/29/2006 12:54 PM 280392]
S2 gupdate1ca2f15164a83a2;Google Update Service (gupdate1ca2f15164a83a2);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2009 9:11 AM 133104]
S3 Gcr432;Gcr432;c:\windows\system32\drivers\gcr432.sys [10/4/2001 4:18 PM 53701]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder

2009-12-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:04]

2010-01-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-10 05:41]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-06 17:10]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-06 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Evan Pennet\Application Data\Mozilla\Firefox\Profiles\txrmgahl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-01 18:18
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1440)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2760)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\program files\real\realplayer\RealPlay.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-01-01 18:30:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-02 02:30
ComboFix2.txt 2010-01-02 01:03
ComboFix3.txt 2010-01-01 00:17

Pre-Run: 52,065,763,328 bytes free
Post-Run: 52,017,770,496 bytes free

- - End Of File - - E1B9DF4ECA92B828BECFA84271AEC477


I Downloaded the new Java as requested, and downloaded the Kaspersky Program. There were no infected objects or suspicious objects found.

Here is the Kaspersky Scan text:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, January 2, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, January 02, 2010 11:58:07
Records in database: 3385508
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 79290
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 02:24:49

No threats found. Scanned area is clean.

Selected area has been scanned.

The Spyware Doctor scan is pretty long. I'll post it as its separate reply because it has too many characters to be added to this reply.
gridironguru
Regular Member
 
Posts: 41
Joined: December 20th, 2009, 1:46 am

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby gridironguru » January 2nd, 2010, 7:48 pm

Okay in addition to the ComboFix scan and the Kaspersky Scan, you also requested the Spyware Doctor scan i did. I was able to save the scan in HTML format and then copied it over to Notepad, then saved as Txt. The site had warned that saving to Txt may result in loss of some information.

Here is the copy I saved as a Text file on Notepad... PC Tools Spyware Doctor. I could not fit the entire series of scan I've done since 12/12/2009 on this note so I showed the Date/Status from when I set up the Spyware Doctor and also the LAST SCAN.

Date Status
12/12/2009 8:42:54 PM:89 Service Started
Spyware Doctor Service Application started
12/12/2009 8:42:54 PM:89 Anti-Malware Engine
Anti-Malware engine configuration loaded successfully.
12/12/2009 8:43:24 PM:761 IntelliGuards status
All IntelliGuards were Enabled
12/12/2009 8:43:31 PM:933 Immunizer Results
ActiveX section has been immunized, Processed 5082 items.

1/2/2010 5:31:09 AM:937 Smart Update
Smart Update has successfully installed new updates.
1/2/2010 5:31:26 AM:578 Anti-Malware Engine
Anti-Malware engine configuration loaded successfully.
1/2/2010 10:29:42 AM:828 IntelliGuards status
All IntelliGuards were Enabled
1/2/2010 10:30:28 AM:312 Immunizer Results
ActiveX section has been immunized, Processed 5091 items.
1/2/2010 10:30:30 AM:406 Scan Started
Scan Type - Full Scan
1/2/2010 10:30:57 AM:921 Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - blingo.com/ blingo.com
1/2/2010 10:30:57 AM:953 Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - ccbill.com/ ccbill.com
1/2/2010 10:30:59 AM:234 Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - quantserve.com/ quantserve.com
1/2/2010 10:30:59 AM:250 Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - revsci.net/ revsci.net
1/2/2010 10:31:00 AM:109 Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - www.blingo.com/ www.blingo.com
1/2/2010 11:37:04 AM:250 Smart Update
Smart Update has determined that Spyware Doctor is up to date
1/2/2010 1:03:23 PM:609 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow
1/2/2010 1:03:23 PM:609 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, LastDir
1/2/2010 1:03:23 PM:625 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs
1/2/2010 1:03:23 PM:625 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, SnapShot
1/2/2010 1:03:23 PM:625 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters, WinSock_Registry_Version
1/2/2010 1:03:23 PM:625 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters, Current_NameSpace_Catalog
1/2/2010 1:03:23 PM:625 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters, Current_Protocol_Catalog
1/2/2010 1:03:23 PM:640 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5, Num_Catalog_Entries
1/2/2010 1:03:23 PM:640 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5, Serial_Access_Num
1/2/2010 1:03:23 PM:640 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, LibraryPath
1/2/2010 1:03:23 PM:640 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, DisplayString
1/2/2010 1:03:23 PM:640 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, ProviderId
1/2/2010 1:03:23 PM:656 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, SupportedNameSpace
1/2/2010 1:03:23 PM:656 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, Enabled
1/2/2010 1:03:23 PM:656 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, Version
1/2/2010 1:03:23 PM:656 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, StoresServiceClassInfo
1/2/2010 1:03:23 PM:656 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
1/2/2010 1:03:23 PM:671 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, LibraryPath
1/2/2010 1:03:23 PM:671 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, DisplayString
1/2/2010 1:03:23 PM:671 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, ProviderId
1/2/2010 1:03:23 PM:671 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, SupportedNameSpace
1/2/2010 1:03:23 PM:671 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, Enabled
1/2/2010 1:03:23 PM:687 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, Version
1/2/2010 1:03:23 PM:687 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, StoresServiceClassInfo
1/2/2010 1:03:23 PM:687 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
1/2/2010 1:03:23 PM:687 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, LibraryPath
1/2/2010 1:03:23 PM:687 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, DisplayString
1/2/2010 1:03:23 PM:703 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, ProviderId
1/2/2010 1:03:23 PM:703 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, SupportedNameSpace
1/2/2010 1:03:23 PM:703 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, Enabled
1/2/2010 1:03:23 PM:703 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, Version
1/2/2010 1:03:23 PM:703 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, StoresServiceClassInfo
1/2/2010 1:03:23 PM:718 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
1/2/2010 1:03:23 PM:718 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries
1/2/2010 1:03:23 PM:718 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5
1/2/2010 1:03:23 PM:718 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9, Num_Catalog_Entries
1/2/2010 1:03:23 PM:734 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9, Next_Catalog_Entry_ID
1/2/2010 1:03:23 PM:734 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9, Serial_Access_Num
1/2/2010 1:03:23 PM:734 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001, PackedCatalogItem
1/2/2010 1:03:23 PM:734 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
1/2/2010 1:03:23 PM:734 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002, PackedCatalogItem
1/2/2010 1:03:23 PM:750 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
1/2/2010 1:03:23 PM:750 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003, PackedCatalogItem
1/2/2010 1:03:23 PM:750 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
1/2/2010 1:03:23 PM:750 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004, PackedCatalogItem
1/2/2010 1:03:23 PM:750 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
1/2/2010 1:03:23 PM:765 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005, PackedCatalogItem
1/2/2010 1:03:23 PM:765 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
1/2/2010 1:03:23 PM:765 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006, PackedCatalogItem
1/2/2010 1:03:23 PM:765 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
1/2/2010 1:03:24 PM:93 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007, PackedCatalogItem
1/2/2010 1:03:24 PM:109 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
1/2/2010 1:03:24 PM:125 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008, PackedCatalogItem
1/2/2010 1:03:24 PM:125 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
1/2/2010 1:03:24 PM:125 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009, PackedCatalogItem
1/2/2010 1:03:24 PM:125 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
1/2/2010 1:03:24 PM:140 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010, PackedCatalogItem
1/2/2010 1:03:24 PM:140 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
1/2/2010 1:03:24 PM:140 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011, PackedCatalogItem
1/2/2010 1:03:24 PM:140 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
1/2/2010 1:03:24 PM:156 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012, PackedCatalogItem
1/2/2010 1:03:24 PM:156 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
1/2/2010 1:03:24 PM:156 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013, PackedCatalogItem
1/2/2010 1:03:24 PM:156 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
1/2/2010 1:03:24 PM:171 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014, PackedCatalogItem
1/2/2010 1:03:24 PM:171 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
1/2/2010 1:03:24 PM:171 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015, PackedCatalogItem
1/2/2010 1:03:24 PM:171 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
1/2/2010 1:03:24 PM:187 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries
1/2/2010 1:03:24 PM:187 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9
1/2/2010 1:03:24 PM:187 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters
1/2/2010 1:03:24 PM:203 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2
1/2/2010 1:03:24 PM:218 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup
1/2/2010 1:03:24 PM:218 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware
1/2/2010 1:03:24 PM:359 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance
1/2/2010 1:03:24 PM:359 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Service
1/2/2010 1:03:24 PM:359 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Legacy
1/2/2010 1:03:24 PM:359 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ConfigFlags
1/2/2010 1:03:24 PM:375 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Class
1/2/2010 1:03:24 PM:375 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ClassGUID
1/2/2010 1:03:24 PM:375 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, DeviceDesc
1/2/2010 1:03:24 PM:375 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Capabilities
1/2/2010 1:03:24 PM:375 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\LogConf
1/2/2010 1:03:24 PM:390 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\Control, ActiveService
1/2/2010 1:03:24 PM:390 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\Control
1/2/2010 1:03:24 PM:390 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
1/2/2010 1:03:24 PM:390 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
1/2/2010 1:03:24 PM:531 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Type
1/2/2010 1:03:24 PM:531 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ErrorControl
1/2/2010 1:03:24 PM:531 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Start
1/2/2010 1:03:24 PM:531 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ImagePath
1/2/2010 1:03:24 PM:531 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Group
1/2/2010 1:03:24 PM:546 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, 0
1/2/2010 1:03:24 PM:546 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, Count
1/2/2010 1:03:24 PM:546 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, NextInstance
1/2/2010 1:03:24 PM:546 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, INITSTARTFAILED
1/2/2010 1:03:24 PM:546 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum
1/2/2010 1:03:24 PM:546 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme
1/2/2010 1:03:29 PM:31 Infection was detected on this computer
Threat Name - Trojan.Generic
Type - Registry Key
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-21-2607446666-649297334-3685780364-1006\Software\Wget
1/2/2010 1:04:09 PM:578 Scan Finished
Scan Type - Full Scan
Items Processed - 406677
Threats Detected - 3
Infections Detected - 104
Infections Ignored - 0
gridironguru
Regular Member
 
Posts: 41
Joined: December 20th, 2009, 1:46 am

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby jmw3 » January 2nd, 2010, 11:06 pm

Hi

The Spyware Doctor log is fine. The items it flagged are part of the tools we have been using. They have been flagged due to the way they work.

Fix.reg
  • Open Notepad by clicking Start>Run, type in Notepad then click OK
  • Copy the contents of the Code Box below to Notepad
    Note: In Notepad, there must be NO blank lines before the word 'REGEDIT4' and there MUST be one blank line at the end of all the lines. To do this, place the cursor at the end of the last line of text and press Return/Enter on the keyboard.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • Save the file to your Desktop
Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000000 

Double click on the fix.reg file & when it prompts to Merge click Yes.

Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version: Adobe Reader 9.2
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 3 instead from Foxit Software
Note: Do not install anything dealing with AskBar... presented as an installation option.

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove ComboFix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
OTC
Download OTC by Old Timer here & save it to your desktop.
Double click on OTC.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
You can delete the following from your desktop:
DDS.scr
The Gmer.exe file (it will be randomly named .exe file)
RootRepeal
Fix.reg
Any logs that may have been saved to your desktop

You can remove the Kaspersky Online Scanner. This can be done via Add or Remove Programs
You should also remove HijackThis. You can do this by going to C:\Program Files\Trend Micro\HijackThis
  • Double click HijackThis.exe
  • From the Main menu click Open the Misc Tools section
  • Using the scroll bar, scroll down to Uninstall HijackThis
  • Click Uninstall HijackThis & exit then click Yes at the prompt

Any problems / questions before we wrap this up?
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby gridironguru » January 2nd, 2010, 11:44 pm

Before I delete all those tools...

Spyware doctor was showing a Trojan Worm still on my computer. Is that accurate..or a false positive?
Also, what negative Malware did we purge out of curiosity?

My Trend Micro Expires on Monday. Which Security program do you suggest? Does it make sense to get more than a free Malawarebytes or AVG Anti-Virus program?

Also, Thank you for your help and the patience you've shown me along the way!!
gridironguru
Regular Member
 
Posts: 41
Joined: December 20th, 2009, 1:46 am

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby jmw3 » January 3rd, 2010, 12:21 am

Hi

Could you tell me the exact entry that Spyware Doctor is flagging? Remove all of the tools we have been using as instructed, run another scan & see if the entry is still there.

My Trend Micro Expires on Monday. Which Security program do you suggest?
Bare in mind this is my personal opinion, others may have different views. You should do a little research & find what is best for you. Most of the known Anti-virus products will serve you well.
A couple of good paid products are:
Kaspersky: https://www.kasperskyanz.com.au/kaspers ... t_security
ESET: http://www.eset.com/
Vipre: http://www.sunbeltsoftware.com/home-home-office/vipre/
I used Vipre for a number of years & found it to be excellent.

Of the free programs I would recommend:
1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) Microsoft Security Essentials - Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.

I am currently using Microsoft Security Essentials & find it very good.

Does it make sense to get more than a free Malawarebytes or AVG Anti-Virus program?
General rule is to have only one Anti-virus & one Anti-malware program using real time protection running at once. Having two or more Anti-virus & Anti-malware running at once could cause serious conflicts, system slow down & actually lessen your security. There are few other programs you can run along with your security programs that can increase your protection. I will make som recommendation during my All Clean when we're done.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby gridironguru » January 3rd, 2010, 3:24 pm

Here is the Spyware Doctor log. I'm concerned that perhaps I didn't delete everything properly. The software shows 1 Trojan. Generic with Low threat and a bunch of Application.NirCmd

1/3/2010 8:50:44 AM:328 Scan Started
Scan Type - Full Scan

1/3/2010 10:45:22 AM:578 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow

1/3/2010 10:45:22 AM:593 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, LastDir

1/3/2010 10:45:22 AM:609 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs

1/3/2010 10:45:22 AM:609 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, SnapShot

1/3/2010 10:45:22 AM:609 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters, WinSock_Registry_Version

1/3/2010 10:45:22 AM:609 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters, Current_NameSpace_Catalog

1/3/2010 10:45:22 AM:609 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters, Current_Protocol_Catalog

1/3/2010 10:45:22 AM:609 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5, Num_Catalog_Entries

1/3/2010 10:45:22 AM:625 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5, Serial_Access_Num

1/3/2010 10:45:22 AM:625 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, LibraryPath

1/3/2010 10:45:22 AM:625 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, DisplayString

1/3/2010 10:45:22 AM:625 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, ProviderId

1/3/2010 10:45:22 AM:625 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, SupportedNameSpace

1/3/2010 10:45:22 AM:640 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, Enabled

1/3/2010 10:45:22 AM:640 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, Version

1/3/2010 10:45:22 AM:640 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001, StoresServiceClassInfo

1/3/2010 10:45:22 AM:781 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001

1/3/2010 10:45:22 AM:796 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, LibraryPath

1/3/2010 10:45:22 AM:796 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, DisplayString

1/3/2010 10:45:22 AM:796 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, ProviderId

1/3/2010 10:45:22 AM:812 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, SupportedNameSpace

1/3/2010 10:45:22 AM:812 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, Enabled

1/3/2010 10:45:22 AM:812 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, Version

1/3/2010 10:45:22 AM:859 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002, StoresServiceClassInfo

1/3/2010 10:45:22 AM:875 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002

1/3/2010 10:45:22 AM:875 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, LibraryPath

1/3/2010 10:45:22 AM:875 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, DisplayString

1/3/2010 10:45:22 AM:890 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, ProviderId

1/3/2010 10:45:22 AM:890 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, SupportedNameSpace

1/3/2010 10:45:22 AM:890 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, Enabled

1/3/2010 10:45:22 AM:906 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, Version

1/3/2010 10:45:22 AM:906 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003, StoresServiceClassInfo

1/3/2010 10:45:22 AM:906 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003

1/3/2010 10:45:22 AM:906 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries

1/3/2010 10:45:22 AM:921 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5

1/3/2010 10:45:22 AM:921 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9, Num_Catalog_Entries

1/3/2010 10:45:22 AM:921 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9, Next_Catalog_Entry_ID

1/3/2010 10:45:22 AM:937 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9, Serial_Access_Num

1/3/2010 10:45:22 AM:937 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001, PackedCatalogItem

1/3/2010 10:45:22 AM:937 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001

1/3/2010 10:45:22 AM:953 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002, PackedCatalogItem

1/3/2010 10:45:22 AM:953 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002

1/3/2010 10:45:22 AM:968 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003, PackedCatalogItem

1/3/2010 10:45:22 AM:968 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003

1/3/2010 10:45:22 AM:968 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004, PackedCatalogItem

1/3/2010 10:45:22 AM:968 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004

1/3/2010 10:45:22 AM:984 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005, PackedCatalogItem

1/3/2010 10:45:22 AM:984 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005

1/3/2010 10:45:23 AM:0 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006, PackedCatalogItem

1/3/2010 10:45:23 AM:0 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006

1/3/2010 10:45:23 AM:0 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007, PackedCatalogItem

1/3/2010 10:45:23 AM:15 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007

1/3/2010 10:45:23 AM:15 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008, PackedCatalogItem

1/3/2010 10:45:23 AM:15 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008

1/3/2010 10:45:23 AM:31 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009, PackedCatalogItem

1/3/2010 10:45:23 AM:31 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009

1/3/2010 10:45:23 AM:31 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010, PackedCatalogItem

1/3/2010 10:45:23 AM:46 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010

1/3/2010 10:45:23 AM:46 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011, PackedCatalogItem

1/3/2010 10:45:23 AM:46 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011

1/3/2010 10:45:23 AM:62 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012, PackedCatalogItem

1/3/2010 10:45:23 AM:62 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012

1/3/2010 10:45:23 AM:62 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013, PackedCatalogItem

1/3/2010 10:45:23 AM:62 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013

1/3/2010 10:45:23 AM:62 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014, PackedCatalogItem

1/3/2010 10:45:23 AM:62 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014

1/3/2010 10:45:23 AM:78 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015, PackedCatalogItem

1/3/2010 10:45:23 AM:78 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015

1/3/2010 10:45:23 AM:93 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries

1/3/2010 10:45:23 AM:109 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9

1/3/2010 10:45:23 AM:125 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2\Parameters

1/3/2010 10:45:23 AM:125 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup\winsock2

1/3/2010 10:45:23 AM:140 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware\backup

1/3/2010 10:45:23 AM:156 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware

1/3/2010 10:45:23 AM:406 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance

1/3/2010 10:45:23 AM:406 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME

1/3/2010 10:45:29 AM:265 Infection was detected on this computer
Threat Name - Trojan.Generic
Type - Registry Key
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-21-2607446666-649297334-3685780364-1006\Software\Wget

1/3/2010 10:46:22 AM:359 Scan Finished
Scan Type - Full Scan
Items Processed - 402835
Threats Detected - 2
Infections Detected - 77
Infections Ignored - 0


Perhaps I didn't do this sequence correctly ... , I had trouble finding the HijackThis.exe and also C:\Program Files\Trend Micro\HijackThis . I'm not sure how I did it last night. Can you help me check to make sure I removed it properly and (also check if Combo fix was removed completely, though I am more confident things went smoothly as the steps seemed to go smoothly with it.

C:\Program Files\Trend Micro\HijackThis

Double click HijackThis.exe
From the Main menu click Open the Misc Tools section
Using the scroll bar, scroll down to Uninstall HijackThis
Click Uninstall HijackThis & exit then click Yes at the prompt

I looked in C: and didn't find the C:\Program Files\Trend Micro\HijackThis though...
gridironguru
Regular Member
 
Posts: 41
Joined: December 20th, 2009, 1:46 am

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby jmw3 » January 3rd, 2010, 9:12 pm

Hi

Application.NirCmd & the wget entry are/were parts of the tools we were using. Have a look at the last line of the first Application.NirCmd entry:
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow

If you are still concerned, you can go ahead & remove those entries with Spyware Doctor.

I had trouble finding the HijackThis.exe and also C:\Program Files\Trend Micro\HijackThis
Strange... As the Hijackthis log is showing it at that location. Do you have a desktop icon for HijackThis? Open HijackThis using that & follow the instructions to uninstall. Failing that, have a look in your Add or Remove Programs via the Control Panel. If listed there then highlight it & click Remove.

For ComboFix if you followed the instructions correctly you would have received a message that ComboFix uninstalled. When using ComboFix it will create two folders on the main drive - in your case the C drive - called ComboFix & Qoobox. They should have been removed when you uninstalled ComboFix. If not then you can safely delete them now.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Help with Zhelatin and possibly Varicela-1 issues

Unread postby gridironguru » January 3rd, 2010, 11:30 pm

Combo Fix did tell me it was uninstalled...and I do not see it nor Hi Jack This within the Control Panel under Add/Remove Programs nor do I see the folders - ComboFix & Qoobox .

I'm wondering why the residual cmds are left and why a Trojan- Generic of Low risk according to the scan for Spyware Doctor remains.
My computer speed has slowed some it appears but is not crawling...

Speakeasy speedtest shows download speed of 4608 kbps and upload of 888 kbps. I believe it was faster earlier during a previous check the download ws over 5450 kbps and upload around 940's
gridironguru
Regular Member
 
Posts: 41
Joined: December 20th, 2009, 1:46 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 65 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware