Vundo trojan, XP Home SP3 access denied, missing BITS file
Working on a machine pretty well crippled by Vundo trojan. Eradicated most if not all manifestations with various AV programs, including MalwareBytes and HijackThis. Restored access to Registry OK. Still cannot get Automatic Updates to work or even install updates by going to MS website, because BITS service is stopped and cannot be started because of missing file. Attempts to install SP3 from MS-TechNet disk look good up until the end when it just displays an "Access is Denied) window and backs out of the install. Tried a repair by reinstalling SP2, with same result - Access denied. Have attempted restore with OEM's install disk (Microcenter), but that doesn't restore the crippled functionality. Running a SFC now against an XP-Home Upgrade CD and that might help; don't know yet.
Question: The missing BITS (Background Intelligent Transfer System) file might be key; but what is it and where would I get it if SFC doesn't do the job?
Any other help with this really nasty Trojan would be much appreciated.
Ron Hicks, Arlington VA
Question: The missing BITS (Background Intelligent Transfer System) file might be key; but what is it and where would I get it if SFC doesn't do the job?
Any other help with this really nasty Trojan would be much appreciated.
Ron Hicks, Arlington VA
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, did the above. New log file attached. Still cannot edit registry, even with Copy_of_regedit.com.
Has the Registry file been made ReadOnly? How did Vundo accomplish this trick? What now?
I'm thinking that I should wipe the disk and reinstall, but I've wanted to go as far as I could without doing that. And by wiping, I mean probably removing it and wiping it with my DriveErase appliance.
Has the Registry file been made ReadOnly? How did Vundo accomplish this trick? What now?
I'm thinking that I should wipe the disk and reinstall, but I've wanted to go as far as I could without doing that. And by wiping, I mean probably removing it and wiping it with my DriveErase appliance.
ComboFix 09-04-04.01 - Virginia 2009-04-09 8:19:40.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.158 [GMT -4:00]
Running from: c:\documents and settings\Virginia\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Virginia\Desktop\CFScript.txt
AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated)
AV: Spy Sweeper with AntiVirus *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *enabled*
* Created a new restore point
FILE ::
c:\windows\Tasks\Symantec NetDetect.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\dnflbrai.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DNFLBRAI
((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.
2009-04-09 07:35 . 2009-04-09 07:35 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Webroot
2009-04-08 22:01 . 2009-04-08 22:01 <DIR> d-------- C:\EmergencyUtils
2009-04-08 08:44 . 2004-08-04 00:56 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2009-04-08 08:44 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe
2009-04-08 08:44 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe
2009-04-08 08:44 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-04-08 08:44 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys
2009-04-08 08:44 . 2004-08-03 23:10 19,328 --a--c--- c:\windows\system32\dllcache\wstcodec.sys
2009-04-08 08:44 . 2001-08-17 22:36 17,408 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2009-04-08 08:44 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys
2009-04-08 08:44 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe
2009-04-08 08:43 . 2001-08-17 13:28 771,581 --a--c--- c:\windows\system32\dllcache\winacisa.sys
2009-04-08 08:43 . 2004-08-04 08:00 156,672 --a--c--- c:\windows\system32\dllcache\winzm.ime
2009-04-08 08:43 . 2004-08-04 08:00 156,672 --a--c--- c:\windows\system32\dllcache\winsp.ime
2009-04-08 08:43 . 2004-08-04 08:00 156,672 --a--c--- c:\windows\system32\dllcache\winpy.ime
2009-04-08 08:43 . 2004-08-03 22:31 154,624 --a--c--- c:\windows\system32\dllcache\wlluc48.sys
2009-04-08 08:43 . 2004-08-04 08:00 79,360 --a--c--- c:\windows\system32\dllcache\winar30.ime
2009-04-08 08:43 . 2004-08-04 08:00 69,120 --a--c--- c:\windows\system32\dllcache\wingb.ime
2009-04-08 08:43 . 2004-08-04 08:00 65,536 --a--c--- c:\windows\system32\dllcache\winime.ime
2009-04-08 08:43 . 2001-08-17 12:12 34,890 --a--c--- c:\windows\system32\dllcache\wlandrv2.sys
2009-04-08 08:43 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys
2009-04-08 08:43 . 2004-08-03 23:07 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys
2009-04-08 08:43 . 2004-08-04 00:56 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2009-04-08 08:41 . 2001-08-17 13:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys
2009-04-08 08:40 . 2001-08-17 22:36 216,064 --a--c--- c:\windows\system32\dllcache\um34scan.dll
2009-04-08 08:39 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll
2009-04-08 08:39 . 2001-08-17 14:56 440,576 --a--c--- c:\windows\system32\dllcache\tridkb.dll
2009-04-08 08:39 . 2001-08-17 14:56 315,520 --a--c--- c:\windows\system32\dllcache\trid3d.dll
2009-04-08 08:39 . 2001-08-17 14:02 230,912 --a--c--- c:\windows\system32\dllcache\tosdvd03.sys
2009-04-08 08:39 . 2001-08-17 12:51 222,336 --a--c--- c:\windows\system32\dllcache\trid3dm.sys
2009-04-08 08:39 . 2001-08-17 12:51 166,784 --a--c--- c:\windows\system32\dllcache\tridxpm.sys
2009-04-08 08:39 . 2001-08-17 12:51 159,232 --a--c--- c:\windows\system32\dllcache\tridkbm.sys
2009-04-08 08:39 . 2004-08-04 00:56 82,432 --a--c--- c:\windows\system32\dllcache\tp4mon.exe
2009-04-08 08:39 . 2001-08-17 22:35 42,496 --a--c--- c:\windows\system32\dllcache\tp4res.dll
2009-04-08 08:39 . 2001-08-17 12:12 34,375 --a--c--- c:\windows\system32\dllcache\tpro4.sys
2009-04-08 08:39 . 2001-08-17 22:36 31,744 --a--c--- c:\windows\system32\dllcache\tp4.dll
2009-04-08 08:39 . 2001-08-17 13:48 11,520 --a--c--- c:\windows\system32\dllcache\twotrack.sys
2009-04-08 08:39 . 2001-08-17 13:51 4,992 --a--c--- c:\windows\system32\dllcache\toside.sys
2009-04-08 08:37 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys
2009-04-08 08:36 . 2004-08-04 08:00 143,422 --a--c--- c:\windows\system32\dllcache\softkey.dll
2009-04-08 08:36 . 2001-08-17 22:36 114,688 --a--c--- c:\windows\system32\dllcache\sonypi.dll
2009-04-08 08:36 . 2001-08-17 22:36 106,584 --a--c--- c:\windows\system32\dllcache\spdports.dll
2009-04-08 08:36 . 2001-08-17 22:36 99,328 --a--c--- c:\windows\system32\dllcache\srusd.dll
2009-04-08 08:36 . 2001-08-17 13:51 61,824 --a--c--- c:\windows\system32\dllcache\speed.sys
2009-04-08 08:36 . 2001-08-17 12:11 48,736 --a--c--- c:\windows\system32\dllcache\srwlnd5.sys
2009-04-08 08:36 . 2001-08-17 12:51 37,040 --a--c--- c:\windows\system32\dllcache\sonypi.sys
2009-04-08 08:36 . 2001-08-17 22:36 24,660 --a--c--- c:\windows\system32\dllcache\spxupchk.dll
2009-04-08 08:36 . 2001-08-17 12:51 20,752 --a--c--- c:\windows\system32\dllcache\sonync.sys
2009-04-08 08:36 . 2001-08-17 14:07 19,072 --a--c--- c:\windows\system32\dllcache\sparrow.sys
2009-04-08 08:36 . 2001-08-17 13:53 9,600 --a--c--- c:\windows\system32\dllcache\sonymc.sys
2009-04-08 08:36 . 2001-08-17 13:56 7,552 --a--c--- c:\windows\system32\dllcache\sonypvu1.sys
2009-04-08 08:36 . 2004-08-03 23:00 7,552 --a--c--- c:\windows\system32\dllcache\sonyait.sys
2009-04-08 08:34 . 2001-08-17 14:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll
2009-04-08 08:34 . 2001-08-17 22:36 238,592 --a--c--- c:\windows\system32\dllcache\sisgrv.dll
2009-04-08 08:34 . 2001-08-17 14:56 157,696 --a--c--- c:\windows\system32\dllcache\sisv256.dll
2009-04-08 08:34 . 2001-08-17 14:56 150,144 --a--c--- c:\windows\system32\dllcache\sis6306v.dll
2009-04-08 08:34 . 2001-08-17 12:50 104,064 --a--c--- c:\windows\system32\dllcache\sisgrp.sys
2009-04-08 08:34 . 2001-08-17 12:50 101,760 --a--c--- c:\windows\system32\dllcache\sis300ip.sys
2009-04-08 08:34 . 2001-08-17 12:12 94,698 --a--c--- c:\windows\system32\dllcache\sk98xwin.sys
2009-04-08 08:34 . 2001-08-17 12:12 91,294 --a--c--- c:\windows\system32\dllcache\skfpwin.sys
2009-04-08 08:34 . 2001-08-17 12:50 68,608 --a--c--- c:\windows\system32\dllcache\sis6306p.sys
2009-04-08 08:34 . 2004-08-03 22:31 63,547 --a--c--- c:\windows\system32\dllcache\sla30nd5.sys
2009-04-08 08:34 . 2001-08-17 12:50 50,432 --a--c--- c:\windows\system32\dllcache\sisv.sys
2009-04-08 08:34 . 2004-08-03 22:31 32,768 --a--c--- c:\windows\system32\dllcache\sisnic.sys
2009-04-08 08:34 . 2004-08-03 23:10 11,136 --a--c--- c:\windows\system32\dllcache\slip.sys
2009-04-08 08:32 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll
2009-04-08 08:31 . 2001-08-17 22:36 86,097 --a--c--- c:\windows\system32\dllcache\reslog32.dll
2009-04-08 08:31 . 2004-08-03 22:59 79,104 --a--c--- c:\windows\system32\dllcache\rocket.sys
2009-04-08 08:31 . 2001-08-17 12:12 37,563 --a--c--- c:\windows\system32\dllcache\rlnet5.sys
2009-04-08 08:31 . 2001-08-17 12:19 30,720 --a--c--- c:\windows\system32\dllcache\rthwcls.sys
2009-04-08 08:31 . 2001-08-17 22:36 26,624 --a--c--- c:\windows\system32\dllcache\rw450ext.dll
2009-04-08 08:31 . 2004-08-04 08:00 26,112 --a--c--- c:\windows\system32\dllcache\romanime.ime
2009-04-08 08:31 . 2001-08-17 22:36 24,576 --a--c--- c:\windows\system32\dllcache\rw430ext.dll
2009-04-08 08:31 . 2004-08-03 22:31 20,992 --a--c--- c:\windows\system32\dllcache\rtl8139.sys
2009-04-08 08:31 . 2001-08-17 13:51 19,584 --a--c--- c:\windows\system32\dllcache\rasirda.sys
2009-04-08 08:31 . 2001-08-17 12:12 19,017 --a--c--- c:\windows\system32\dllcache\rtl8029.sys
2009-04-08 08:31 . 2001-08-17 22:36 9,216 --a--c--- c:\windows\system32\dllcache\rsmgrstr.dll
2009-04-08 08:31 . 2001-08-17 12:19 3,840 --a--c--- c:\windows\system32\dllcache\rpfun.sys
2009-04-08 08:29 . 2004-08-04 08:00 482,304 --a--c--- c:\windows\system32\dllcache\pintlgnt.ime
2009-04-08 08:28 . 2001-08-17 14:05 351,616 --a--c--- c:\windows\system32\dllcache\ovcodek2.sys
2009-04-08 08:27 . 2001-08-17 12:50 198,144 --a--c--- c:\windows\system32\dllcache\nv3.sys
2009-04-08 08:27 . 2001-08-17 22:36 123,776 --a--c--- c:\windows\system32\dllcache\nv3.dll
2009-04-08 08:27 . 2001-08-17 22:36 116,736 --a--c--- c:\windows\system32\dllcache\ovcodec2.dll
2009-04-08 08:27 . 2004-08-03 23:10 61,056 --a--c--- c:\windows\system32\dllcache\ohci1394.sys
2009-04-08 08:27 . 2001-08-17 12:20 54,528 --a--c--- c:\windows\system32\dllcache\opl3sax.sys
2009-04-08 08:27 . 2001-08-17 13:28 54,186 --a--c--- c:\windows\system32\dllcache\otcsercb.sys
2009-04-08 08:27 . 2001-08-17 12:49 51,552 --a--c--- c:\windows\system32\dllcache\ntgrip.sys
2009-04-08 08:27 . 2001-08-17 14:05 48,000 --a--c--- c:\windows\system32\dllcache\ovcam2.sys
2009-04-08 08:27 . 2001-08-17 12:12 43,689 --a--c--- c:\windows\system32\dllcache\otceth5.sys
2009-04-08 08:27 . 2001-08-17 14:05 31,872 --a--c--- c:\windows\system32\dllcache\ovce.sys
2009-04-08 08:27 . 2001-08-17 14:05 28,032 --a--c--- c:\windows\system32\dllcache\ovcd.sys
2009-04-08 08:27 . 2001-08-17 12:12 27,209 --a--c--- c:\windows\system32\dllcache\otc06x5.sys
2009-04-08 08:27 . 2001-08-17 14:05 25,088 --a--c--- c:\windows\system32\dllcache\ovca.sys
2009-04-08 08:25 . 2004-08-04 08:00 229,439 --a--c--- c:\windows\system32\dllcache\multibox.dll
2009-04-08 08:24 . 2004-08-04 08:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2009-04-08 08:24 . 2004-08-04 08:00 98,304 --a--c--- c:\windows\system32\dllcache\msir3jp.dll
2009-04-08 08:24 . 2004-08-04 00:56 56,832 --a--c--- c:\windows\system32\dllcache\msdvbnp.ax
2009-04-08 08:24 . 2004-08-03 23:10 51,328 --a--c--- c:\windows\system32\dllcache\msdv.sys
2009-04-08 08:24 . 2001-08-17 14:02 35,200 --a--c--- c:\windows\system32\dllcache\msgame.sys
2009-04-08 08:24 . 2004-08-03 23:00 22,016 --a--c--- c:\windows\system32\dllcache\msircomm.sys
2009-04-08 08:24 . 2001-08-17 13:52 17,280 --a--c--- c:\windows\system32\dllcache\mraid35x.sys
2009-04-08 08:24 . 2004-08-03 23:10 15,360 --a--c--- c:\windows\system32\dllcache\mpe.sys
2009-04-08 08:24 . 2001-08-17 13:48 12,416 --a--c--- c:\windows\system32\dllcache\msriffwv.sys
2009-04-08 08:24 . 2001-08-17 13:48 6,016 --a--c--- c:\windows\system32\dllcache\msfsio.sys
2009-04-08 08:24 . 2001-08-17 14:00 2,944 --a--c--- c:\windows\system32\dllcache\msmpu401.sys
2009-04-08 08:23 . 2001-08-17 12:50 320,384 --a--c--- c:\windows\system32\dllcache\mgaum.sys
2009-04-08 08:23 . 2001-08-17 14:56 235,648 --a--c--- c:\windows\system32\dllcache\mgaud.dll
2009-04-08 08:23 . 2001-08-17 12:12 164,586 --a--c--- c:\windows\system32\dllcache\mdgndis5.sys
2009-04-08 08:23 . 2001-08-17 22:36 58,880 --a--c--- c:\windows\system32\dllcache\m3092dc.dll
2009-04-08 08:23 . 2001-08-17 12:19 48,768 --a--c--- c:\windows\system32\dllcache\maestro.sys
2009-04-08 08:23 . 2001-08-17 22:36 47,616 --a--c--- c:\windows\system32\dllcache\memgrp.dll
2009-04-08 08:23 . 2004-08-03 23:00 26,112 --a--c--- c:\windows\system32\dllcache\memstpci.sys
2009-04-08 08:23 . 2001-08-17 13:57 16,128 --a--c--- c:\windows\system32\dllcache\modemcsa.sys
2009-04-08 08:23 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2009-04-08 08:23 . 2001-08-17 13:58 8,320 --a--c--- c:\windows\system32\dllcache\memcard.sys
2009-04-08 08:23 . 2001-08-17 13:52 7,424 --a--c--- c:\windows\system32\dllcache\mammoth.sys
2009-04-08 08:23 . 2001-08-17 13:52 6,528 --a--c--- c:\windows\system32\dllcache\miniqic.sys
2009-04-08 08:21 . 2004-08-04 08:00 1,158,818 --a--c--- c:\windows\system32\dllcache\korwbrkr.lex
2009-04-08 08:21 . 2001-08-17 22:36 242,176 --a--c--- c:\windows\system32\dllcache\kdsusd.dll
2009-04-08 08:21 . 2004-08-04 08:00 70,656 --a--c--- c:\windows\system32\dllcache\korwbrkr.dll
2009-04-08 08:21 . 2001-08-17 22:36 45,568 --a--c--- c:\windows\system32\dllcache\kdsui.dll
2009-04-08 08:21 . 2001-08-17 22:36 37,376 --a--c--- c:\windows\system32\dllcache\kousd.dll
2009-04-08 08:21 . 2004-08-03 22:58 14,848 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-04-08 08:21 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2009-04-08 08:21 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 12:01 23,424 ----a-w c:\windows\system32\drivers\bkfuwrms.sys
2009-04-06 15:30 --------- d-----w c:\documents and settings\Virginia\Application Data\MSNInstaller
2009-04-06 14:51 --------- d-----w c:\documents and settings\Virginia\Application Data\Apple Computer
2009-04-06 14:31 --------- d-----w c:\program files\Common Files\Adobe
2009-03-24 18:35 --------- d-----w c:\program files\Common Files\Apple
2009-02-23 19:48 --------- d-----w c:\program files\Angle Interactive
2006-12-11 17:53 85,954 ----a-w c:\program files\10187EZ.pdf
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{386eee7a-3dd8-4b2c-8a5d-2e32e9da0c9b}]
c:\windows\system32\batmete.dll [BU]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-16 67128]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-02-24 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]
"SoundMan"="SOUNDMAN.EXE" [2005-03-11 c:\windows\SOUNDMAN.EXE]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-16 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-01-24 450560]
Verizon Online Support Center.lnk - c:\program files\Verizon Online\bin\matcli.exe [2005-12-06 204800]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe"=
"c:\\Program Files\\Logitech\\SetPoint\\SetPoint.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-04-06 47640]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-06 108289]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-31 33176]
S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys --> c:\windows\system32\DRIVERS\urvpndrv.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder
2009-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-04-09 c:\windows\Tasks\wrSpySweeper_LB99127F7A65743E182A02FDE79D003FF.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 21:56]
2009-04-09 c:\windows\Tasks\wrSpySweeper_LB99127F7A65743E182A02FDE79D003FF.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 21:56]
2009-04-09 c:\windows\Tasks\wrSpySweeper_LB99127F7A65743E182A02FDE79D003FF.job
- C:\ [2009-04-09 08:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.acornweb.org/
uInternet Settings,ProxyServer = www.stephen.org/wedding
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: microsoft.com\UPDATE
Trusted Zone: windowsupdate.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Virginia\Application Data\Mozilla\Firefox\Profiles\gxab0rik.default\
FF - prefs.js: network.proxy.ftp - www.stephen.org/wedding
FF - prefs.js: network.proxy.gopher - www.stephen.org/wedding
FF - prefs.js: network.proxy.http - www.stephen.org/wedding
FF - prefs.js: network.proxy.socks - www.stephen.org/wedding
FF - prefs.js: network.proxy.ssl - www.stephen.org/wedding
FF - prefs.js: network.proxy.type - 1
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 08:23:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\WRLogonNTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2009-04-09 8:26:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-09 12:26:55
ComboFix2.txt 2009-04-09 12:10:16
ComboFix3.txt 2009-04-09 02:38:27
Pre-Run: 148,333,445,120 bytes free
Post-Run: 148,314,132,480 bytes free
269 --- E O F --- 2009-01-19 02:30:50SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm home from my day job and did what you suggested, and it seems to have done the trick. I was able to install SP3 from updates.microsoft.com. This is by far the most impressive help I've ever received, at this or any other helpsite. I'm truly awestruck that you knew what to do so immediately and so completely. Thank you is so inadequate to express my appreciation. I'd award 5000 points if that were possible.
Ron Hicks
Oh, I'm attaching the log fille in case it indicates something else that need doing.
Ron Hicks
Oh, I'm attaching the log fille in case it indicates something else that need doing.
ComboFix 09-04-04.01 - Virginia 2009-04-09 22:25:12.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.198 [GMT -4:00]
Running from: c:\documents and settings\Virginia\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Virginia\Desktop\CFScript.txt
AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated)
AV: Spy Sweeper with AntiVirus *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *enabled*
* Created a new restore point
FILE ::
c:\windows\system32\batmete.dll
c:\windows\system32\drivers\bkfuwrms.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\bkfuwrms.sys
.
((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.
2009-04-09 22:23 . 2006-03-03 00:42 73,728 --a------ C:\pv.exe
2009-04-09 07:35 . 2009-04-09 07:35 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Webroot
2009-04-08 22:01 . 2009-04-08 22:01 <DIR> d-------- C:\EmergencyUtils
2009-04-08 08:44 . 2004-08-04 00:56 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2009-04-08 08:44 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe
2009-04-08 08:44 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe
2009-04-08 08:44 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-04-08 08:44 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys
2009-04-08 08:44 . 2004-08-03 23:10 19,328 --a--c--- c:\windows\system32\dllcache\wstcodec.sys
2009-04-08 08:44 . 2001-08-17 22:36 17,408 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2009-04-08 08:44 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys
2009-04-08 08:44 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe
2009-04-08 08:43 . 2001-08-17 13:28 771,581 --a--c--- c:\windows\system32\dllcache\winacisa.sys
2009-04-08 08:43 . 2004-08-04 08:00 156,672 --a--c--- c:\windows\system32\dllcache\winzm.ime
2009-04-08 08:43 . 2004-08-04 08:00 156,672 --a--c--- c:\windows\system32\dllcache\winsp.ime
2009-04-08 08:43 . 2004-08-04 08:00 156,672 --a--c--- c:\windows\system32\dllcache\winpy.ime
2009-04-08 08:43 . 2004-08-03 22:31 154,624 --a--c--- c:\windows\system32\dllcache\wlluc48.sys
2009-04-08 08:43 . 2004-08-04 08:00 79,360 --a--c--- c:\windows\system32\dllcache\winar30.ime
2009-04-08 08:43 . 2004-08-04 08:00 69,120 --a--c--- c:\windows\system32\dllcache\wingb.ime
2009-04-08 08:43 . 2004-08-04 08:00 65,536 --a--c--- c:\windows\system32\dllcache\winime.ime
2009-04-08 08:43 . 2001-08-17 12:12 34,890 --a--c--- c:\windows\system32\dllcache\wlandrv2.sys
2009-04-08 08:43 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys
2009-04-08 08:43 . 2004-08-03 23:07 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys
2009-04-08 08:43 . 2004-08-04 00:56 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2009-04-08 08:41 . 2001-08-17 13:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys
2009-04-08 08:40 . 2001-08-17 22:36 216,064 --a--c--- c:\windows\system32\dllcache\um34scan.dll
2009-04-08 08:39 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll
2009-04-08 08:39 . 2001-08-17 14:56 440,576 --a--c--- c:\windows\system32\dllcache\tridkb.dll
2009-04-08 08:39 . 2001-08-17 14:56 315,520 --a--c--- c:\windows\system32\dllcache\trid3d.dll
2009-04-08 08:39 . 2001-08-17 14:02 230,912 --a--c--- c:\windows\system32\dllcache\tosdvd03.sys
2009-04-08 08:39 . 2001-08-17 12:51 222,336 --a--c--- c:\windows\system32\dllcache\trid3dm.sys
2009-04-08 08:39 . 2001-08-17 12:51 166,784 --a--c--- c:\windows\system32\dllcache\tridxpm.sys
2009-04-08 08:39 . 2001-08-17 12:51 159,232 --a--c--- c:\windows\system32\dllcache\tridkbm.sys
2009-04-08 08:39 . 2004-08-04 00:56 82,432 --a--c--- c:\windows\system32\dllcache\tp4mon.exe
2009-04-08 08:39 . 2001-08-17 22:35 42,496 --a--c--- c:\windows\system32\dllcache\tp4res.dll
2009-04-08 08:39 . 2001-08-17 12:12 34,375 --a--c--- c:\windows\system32\dllcache\tpro4.sys
2009-04-08 08:39 . 2001-08-17 22:36 31,744 --a--c--- c:\windows\system32\dllcache\tp4.dll
2009-04-08 08:39 . 2001-08-17 13:48 11,520 --a--c--- c:\windows\system32\dllcache\twotrack.sys
2009-04-08 08:39 . 2001-08-17 13:51 4,992 --a--c--- c:\windows\system32\dllcache\toside.sys
2009-04-08 08:37 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys
2009-04-08 08:36 . 2004-08-04 08:00 143,422 --a--c--- c:\windows\system32\dllcache\softkey.dll
2009-04-08 08:36 . 2001-08-17 22:36 114,688 --a--c--- c:\windows\system32\dllcache\sonypi.dll
2009-04-08 08:36 . 2001-08-17 22:36 106,584 --a--c--- c:\windows\system32\dllcache\spdports.dll
2009-04-08 08:36 . 2001-08-17 22:36 99,328 --a--c--- c:\windows\system32\dllcache\srusd.dll
2009-04-08 08:36 . 2001-08-17 13:51 61,824 --a--c--- c:\windows\system32\dllcache\speed.sys
2009-04-08 08:36 . 2001-08-17 12:11 48,736 --a--c--- c:\windows\system32\dllcache\srwlnd5.sys
2009-04-08 08:36 . 2001-08-17 12:51 37,040 --a--c--- c:\windows\system32\dllcache\sonypi.sys
2009-04-08 08:36 . 2001-08-17 22:36 24,660 --a--c--- c:\windows\system32\dllcache\spxupchk.dll
2009-04-08 08:36 . 2001-08-17 12:51 20,752 --a--c--- c:\windows\system32\dllcache\sonync.sys
2009-04-08 08:36 . 2001-08-17 14:07 19,072 --a--c--- c:\windows\system32\dllcache\sparrow.sys
2009-04-08 08:36 . 2001-08-17 13:53 9,600 --a--c--- c:\windows\system32\dllcache\sonymc.sys
2009-04-08 08:36 . 2001-08-17 13:56 7,552 --a--c--- c:\windows\system32\dllcache\sonypvu1.sys
2009-04-08 08:36 . 2004-08-03 23:00 7,552 --a--c--- c:\windows\system32\dllcache\sonyait.sys
2009-04-08 08:34 . 2001-08-17 14:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll
2009-04-08 08:34 . 2001-08-17 22:36 238,592 --a--c--- c:\windows\system32\dllcache\sisgrv.dll
2009-04-08 08:34 . 2001-08-17 14:56 157,696 --a--c--- c:\windows\system32\dllcache\sisv256.dll
2009-04-08 08:34 . 2001-08-17 14:56 150,144 --a--c--- c:\windows\system32\dllcache\sis6306v.dll
2009-04-08 08:34 . 2001-08-17 12:50 104,064 --a--c--- c:\windows\system32\dllcache\sisgrp.sys
2009-04-08 08:34 . 2001-08-17 12:50 101,760 --a--c--- c:\windows\system32\dllcache\sis300ip.sys
2009-04-08 08:34 . 2001-08-17 12:12 94,698 --a--c--- c:\windows\system32\dllcache\sk98xwin.sys
2009-04-08 08:34 . 2001-08-17 12:12 91,294 --a--c--- c:\windows\system32\dllcache\skfpwin.sys
2009-04-08 08:34 . 2001-08-17 12:50 68,608 --a--c--- c:\windows\system32\dllcache\sis6306p.sys
2009-04-08 08:34 . 2004-08-03 22:31 63,547 --a--c--- c:\windows\system32\dllcache\sla30nd5.sys
2009-04-08 08:34 . 2001-08-17 12:50 50,432 --a--c--- c:\windows\system32\dllcache\sisv.sys
2009-04-08 08:34 . 2004-08-03 22:31 32,768 --a--c--- c:\windows\system32\dllcache\sisnic.sys
2009-04-08 08:34 . 2004-08-03 23:10 11,136 --a--c--- c:\windows\system32\dllcache\slip.sys
2009-04-08 08:32 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll
2009-04-08 08:31 . 2001-08-17 22:36 86,097 --a--c--- c:\windows\system32\dllcache\reslog32.dll
2009-04-08 08:31 . 2004-08-03 22:59 79,104 --a--c--- c:\windows\system32\dllcache\rocket.sys
2009-04-08 08:31 . 2001-08-17 12:12 37,563 --a--c--- c:\windows\system32\dllcache\rlnet5.sys
2009-04-08 08:31 . 2001-08-17 12:19 30,720 --a--c--- c:\windows\system32\dllcache\rthwcls.sys
2009-04-08 08:31 . 2001-08-17 22:36 26,624 --a--c--- c:\windows\system32\dllcache\rw450ext.dll
2009-04-08 08:31 . 2004-08-04 08:00 26,112 --a--c--- c:\windows\system32\dllcache\romanime.ime
2009-04-08 08:31 . 2001-08-17 22:36 24,576 --a--c--- c:\windows\system32\dllcache\rw430ext.dll
2009-04-08 08:31 . 2004-08-03 22:31 20,992 --a--c--- c:\windows\system32\dllcache\rtl8139.sys
2009-04-08 08:31 . 2001-08-17 13:51 19,584 --a--c--- c:\windows\system32\dllcache\rasirda.sys
2009-04-08 08:31 . 2001-08-17 12:12 19,017 --a--c--- c:\windows\system32\dllcache\rtl8029.sys
2009-04-08 08:31 . 2001-08-17 22:36 9,216 --a--c--- c:\windows\system32\dllcache\rsmgrstr.dll
2009-04-08 08:31 . 2001-08-17 12:19 3,840 --a--c--- c:\windows\system32\dllcache\rpfun.sys
2009-04-08 08:29 . 2004-08-04 08:00 482,304 --a--c--- c:\windows\system32\dllcache\pintlgnt.ime
2009-04-08 08:28 . 2001-08-17 14:05 351,616 --a--c--- c:\windows\system32\dllcache\ovcodek2.sys
2009-04-08 08:27 . 2001-08-17 12:50 198,144 --a--c--- c:\windows\system32\dllcache\nv3.sys
2009-04-08 08:27 . 2001-08-17 22:36 123,776 --a--c--- c:\windows\system32\dllcache\nv3.dll
2009-04-08 08:27 . 2001-08-17 22:36 116,736 --a--c--- c:\windows\system32\dllcache\ovcodec2.dll
2009-04-08 08:27 . 2004-08-03 23:10 61,056 --a--c--- c:\windows\system32\dllcache\ohci1394.sys
2009-04-08 08:27 . 2001-08-17 12:20 54,528 --a--c--- c:\windows\system32\dllcache\opl3sax.sys
2009-04-08 08:27 . 2001-08-17 13:28 54,186 --a--c--- c:\windows\system32\dllcache\otcsercb.sys
2009-04-08 08:27 . 2001-08-17 12:49 51,552 --a--c--- c:\windows\system32\dllcache\ntgrip.sys
2009-04-08 08:27 . 2001-08-17 14:05 48,000 --a--c--- c:\windows\system32\dllcache\ovcam2.sys
2009-04-08 08:27 . 2001-08-17 12:12 43,689 --a--c--- c:\windows\system32\dllcache\otceth5.sys
2009-04-08 08:27 . 2001-08-17 14:05 31,872 --a--c--- c:\windows\system32\dllcache\ovce.sys
2009-04-08 08:27 . 2001-08-17 14:05 28,032 --a--c--- c:\windows\system32\dllcache\ovcd.sys
2009-04-08 08:27 . 2001-08-17 12:12 27,209 --a--c--- c:\windows\system32\dllcache\otc06x5.sys
2009-04-08 08:27 . 2001-08-17 14:05 25,088 --a--c--- c:\windows\system32\dllcache\ovca.sys
2009-04-08 08:25 . 2004-08-04 08:00 229,439 --a--c--- c:\windows\system32\dllcache\multibox.dll
2009-04-08 08:24 . 2004-08-04 08:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2009-04-08 08:24 . 2004-08-04 08:00 98,304 --a--c--- c:\windows\system32\dllcache\msir3jp.dll
2009-04-08 08:24 . 2004-08-04 00:56 56,832 --a--c--- c:\windows\system32\dllcache\msdvbnp.ax
2009-04-08 08:24 . 2004-08-03 23:10 51,328 --a--c--- c:\windows\system32\dllcache\msdv.sys
2009-04-08 08:24 . 2001-08-17 14:02 35,200 --a--c--- c:\windows\system32\dllcache\msgame.sys
2009-04-08 08:24 . 2004-08-03 23:00 22,016 --a--c--- c:\windows\system32\dllcache\msircomm.sys
2009-04-08 08:24 . 2001-08-17 13:52 17,280 --a--c--- c:\windows\system32\dllcache\mraid35x.sys
2009-04-08 08:24 . 2004-08-03 23:10 15,360 --a--c--- c:\windows\system32\dllcache\mpe.sys
2009-04-08 08:24 . 2001-08-17 13:48 12,416 --a--c--- c:\windows\system32\dllcache\msriffwv.sys
2009-04-08 08:24 . 2001-08-17 13:48 6,016 --a--c--- c:\windows\system32\dllcache\msfsio.sys
2009-04-08 08:24 . 2001-08-17 14:00 2,944 --a--c--- c:\windows\system32\dllcache\msmpu401.sys
2009-04-08 08:23 . 2001-08-17 12:50 320,384 --a--c--- c:\windows\system32\dllcache\mgaum.sys
2009-04-08 08:23 . 2001-08-17 14:56 235,648 --a--c--- c:\windows\system32\dllcache\mgaud.dll
2009-04-08 08:23 . 2001-08-17 12:12 164,586 --a--c--- c:\windows\system32\dllcache\mdgndis5.sys
2009-04-08 08:23 . 2001-08-17 22:36 58,880 --a--c--- c:\windows\system32\dllcache\m3092dc.dll
2009-04-08 08:23 . 2001-08-17 12:19 48,768 --a--c--- c:\windows\system32\dllcache\maestro.sys
2009-04-08 08:23 . 2001-08-17 22:36 47,616 --a--c--- c:\windows\system32\dllcache\memgrp.dll
2009-04-08 08:23 . 2004-08-03 23:00 26,112 --a--c--- c:\windows\system32\dllcache\memstpci.sys
2009-04-08 08:23 . 2001-08-17 13:57 16,128 --a--c--- c:\windows\system32\dllcache\modemcsa.sys
2009-04-08 08:23 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2009-04-08 08:23 . 2001-08-17 13:58 8,320 --a--c--- c:\windows\system32\dllcache\memcard.sys
2009-04-08 08:23 . 2001-08-17 13:52 7,424 --a--c--- c:\windows\system32\dllcache\mammoth.sys
2009-04-08 08:23 . 2001-08-17 13:52 6,528 --a--c--- c:\windows\system32\dllcache\miniqic.sys
2009-04-08 08:21 . 2004-08-04 08:00 1,158,818 --a--c--- c:\windows\system32\dllcache\korwbrkr.lex
2009-04-08 08:21 . 2001-08-17 22:36 242,176 --a--c--- c:\windows\system32\dllcache\kdsusd.dll
2009-04-08 08:21 . 2004-08-04 08:00 70,656 --a--c--- c:\windows\system32\dllcache\korwbrkr.dll
2009-04-08 08:21 . 2001-08-17 22:36 45,568 --a--c--- c:\windows\system32\dllcache\kdsui.dll
2009-04-08 08:21 . 2001-08-17 22:36 37,376 --a--c--- c:\windows\system32\dllcache\kousd.dll
2009-04-08 08:21 . 2004-08-03 22:58 14,848 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-04-08 08:21 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 15:30 --------- d-----w c:\documents and settings\Virginia\Application Data\MSNInstaller
2009-04-06 14:51 --------- d-----w c:\documents and settings\Virginia\Application Data\Apple Computer
2009-04-06 14:31 --------- d-----w c:\program files\Common Files\Adobe
2009-03-24 18:35 --------- d-----w c:\program files\Common Files\Apple
2009-02-23 19:48 --------- d-----w c:\program files\Angle Interactive
2006-12-11 17:53 85,954 ----a-w c:\program files\10187EZ.pdf
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-16 67128]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-02-24 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]
"SoundMan"="SOUNDMAN.EXE" [2005-03-11 c:\windows\SOUNDMAN.EXE]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-16 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-01-24 450560]
Verizon Online Support Center.lnk - c:\program files\Verizon Online\bin\matcli.exe [2005-12-06 204800]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe"=
"c:\\Program Files\\Logitech\\SetPoint\\SetPoint.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-04-06 47640]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-06 108289]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-31 33176]
S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys --> c:\windows\system32\DRIVERS\urvpndrv.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder
2009-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-04-10 c:\windows\Tasks\wrSpySweeper_LB99127F7A65743E182A02FDE79D003FF.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 21:56]
2009-04-10 c:\windows\Tasks\wrSpySweeper_LB99127F7A65743E182A02FDE79D003FF.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 21:56]
2009-04-10 c:\windows\Tasks\wrSpySweeper_LB99127F7A65743E182A02FDE79D003FF.job
- C:\ [2009-04-09 22:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.acornweb.org/
uInternet Settings,ProxyServer = www.stephen.org/wedding
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: microsoft.com\UPDATE
Trusted Zone: windowsupdate.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Virginia\Application Data\Mozilla\Firefox\Profiles\gxab0rik.default\
FF - prefs.js: network.proxy.ftp - www.stephen.org/wedding
FF - prefs.js: network.proxy.gopher - www.stephen.org/wedding
FF - prefs.js: network.proxy.http - www.stephen.org/wedding
FF - prefs.js: network.proxy.socks - www.stephen.org/wedding
FF - prefs.js: network.proxy.ssl - www.stephen.org/wedding
FF - prefs.js: network.proxy.type - 1
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 22:26:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\WRLogonNTF.dll
.
Completion time: 2009-04-09 22:28:04
ComboFix-quarantined-files.txt 2009-04-10 02:27:55
ComboFix2.txt 2009-04-09 12:26:59
ComboFix3.txt 2009-04-09 12:10:16
ComboFix4.txt 2009-04-09 02:38:27
Pre-Run: 148,292,538,368 bytes free
Post-Run: 148,279,324,672 bytes free
254 --- E O F --- 2009-01-19 02:30:50
Ron Hicks,
You're welcome... glad to know it's now resolved.
Thanks for the CF log it's fine.
Combofix still detects Norton, you may need to run Norton's removal tool to remove all related files that are still there.
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
The above command will remove Combofix and its files, delete the created backup and reset System Restore.
Thank you so much for the excellent feedback!... it's nice of you. I really appreciate it :)
Your compliments/feedback is worth more than a million points!
Thank you for using Experts-Exchange!
You're welcome... glad to know it's now resolved.
Thanks for the CF log it's fine.
Combofix still detects Norton, you may need to run Norton's removal tool to remove all related files that are still there.
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
The above command will remove Combofix and its files, delete the created backup and reset System Restore.
Thank you so much for the excellent feedback!... it's nice of you. I really appreciate it :)
Your compliments/feedback is worth more than a million points!
Thank you for using Experts-Exchange!
ASKER
I'm attaching (if I can figure out how) the CF log file. It lists a lot of really suspicious file names.
Perhaps of note is that CF reported that Norton 2005 was running, but I don't have Norton or Symantec installed and there was no running process that seemed related to Norton, so I clicked OK
Open in new window