Jump to content

Bryan Braley

Members
  • Posts

    7
  • Joined

  • Last visited

Everything posted by Bryan Braley

  1. Yep, sorry about the delay in responding. I got everything cleaned up except for the "Set as Desktop Background" item. I've worked with Windows Policies for years in the past, I'm just gonna do some poking around and see where that one is hiding. I can wait on that one since I lost several days of work last week trying to clean the computer. Thanks for all your help. I'll admit, I was a little weary of ComboFix as I seem to recall having some problems with it in the past, but it did the trick this time. Bryan
  2. Here's the latest HJT log, I'm still running MBAM. For some reason, I've lost the ability to right click pictures and select set as desktop background. I can now browse to the pic from desktop properties and get the same result - that wasn't working earlier. It is only happening on the originally infected username. After i get a clean bill of health from MBAM, should I use MMC to reset the security settings on windows? : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:22:17 AM, on 5/1/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM') O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user') O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user') O8 - Extra context menu item: Add selected links to Link Container - C:\Program Files\PixGrabber Free\System\Scripts\off_collector_sel.htm O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open all links in new windows - C:\Program Files\PixGrabber Free\System\Scripts\off_open_all.htm O8 - Extra context menu item: Open selected link(s) in new windows - C:\Program Files\PixGrabber Free\System\Scripts\off_open_sel.htm O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashb...FDBIDBBFEEHGIBI (file missing) O9 - Extra 'Tools' menuitem: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashb...FDBIDBBFEEHGIBI (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {410A8B3C-7CCB-40E8-8B11-28B099E5C488} (Trend Micro Security Services Control) - http://tmss.trendmicro.com/Dashboard/contr...TMSSReportW.CAB O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141750018809 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.livinghopechurch.tv/updates/files/lib/XUpload.ocx O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 9525 bytes
  3. Great. For some reason, MBAM started running very fast and then got progressively slower as it ran. Here is the latest log file for MBAM. The deleted files were recognized by ComboFix as a rootkit. I'll reboot, uninstall ComboFix, and run MBAM & HJT again to see what happens. Evidently this went deeper than one type of malware. Malwarebytes' Anti-Malware 1.36 Database version: 2062 Windows 5.1.2600 Service Pack 3 5/1/2009 4:08:47 AM mbam-log-2009-05-01 (04-08-47).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 255744 Time elapsed: 4 hour(s), 23 minute(s), 27 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthjhuwrewvgntjndnnnrwyddtsgkhooxrj.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthwmhufavyqensaivkxkiuoxxndbegupha.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfstheedfyqlxcqhsobwirbjnhnejlukqdcgd.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4EE39D5C-20E8-4595-A403-28C880F72F4E}\RP337\A0236417.sys (Trojan.TDSS) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4EE39D5C-20E8-4595-A403-28C880F72F4E}\RP337\A0236419.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4EE39D5C-20E8-4595-A403-28C880F72F4E}\RP337\A0236420.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
  4. Here's the combofix log. I'm re-running malwarebytes now to see what it turns up. If it finds anything, I'll post the new log. ComboFix 09-04-30.05 - Bryan 04/30/2009 23:23.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1616 [GMT -5:00] Running from: c:\documents and settings\Bryan\Desktop\ComboFix.exe AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) FW: Trend Micro Personal Firewall *disabled* . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\Bryan\Local Settings\Temporary Internet Files\fbk.sts c:\windows\icroso~1 c:\windows\system32\bimopupa.exe c:\windows\system32\drivers\ovfstheedfyqlxcqhsobwirbjnhnejlukqdcgd.sys c:\windows\system32\mnnmp.bak1 c:\windows\system32\mnnmp.bak2 c:\windows\system32\mnnmp.ini c:\windows\system32\ovfsthirtcbukpotuldaoqwubobquluygujyfx.dat c:\windows\system32\ovfsthjhuwrewvgntjndnnnrwyddtsgkhooxrj.dll c:\windows\system32\ovfsthlog.dat c:\windows\system32\ovfsthryofadmmpnhdsdubtcnleyioubbjdlxq.dll c:\windows\system32\ovfsthvynvlkjcycaadslwrkmsalvixvblffit.dat c:\windows\system32\ovfsthwmhufavyqensaivkxkiuoxxndbegupha.dll c:\windows\system32\wnscpcc.exe ----- BITS: Possible infected sites ----- hxxp://216.12.168.130 Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ovfsthtrfdcshfwuevudamjtwfcdertulsngnb -------\Legacy_WSNPOEM.SYS ((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 ))))))))))))))))))))))))))))))) . 2009-04-29 22:36 . 2009-04-29 23:49 -------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer 2009-04-29 22:23 . 2009-04-29 22:23 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\MediaShout 2009-04-29 22:16 . 2009-04-29 22:16 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat 2009-04-29 22:16 . 2009-04-29 22:18 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory 2009-04-29 15:38 . 2009-04-29 15:38 -------- d-----w c:\program files\Safer Networking 2009-04-28 19:11 . 2009-04-28 19:11 -------- d-----w c:\documents and settings\Administrator\Application Data\Windows Search 2009-04-28 15:57 . 2009-04-28 15:57 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2009-04-28 15:51 . 2009-04-29 22:36 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer 2009-04-28 15:00 . 2009-04-28 15:00 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-04-28 13:26 . 2009-04-28 13:26 -------- d-----w c:\windows\system32\log 2009-04-28 03:20 . 2009-04-28 03:28 -------- d-----w c:\program files\WMV9_VCM 2009-04-28 01:55 . 2009-04-28 01:55 -------- d-----w c:\program files\iPod 2009-04-28 01:55 . 2009-04-28 01:56 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-28 01:55 . 2009-04-28 01:56 -------- d-----w c:\program files\iTunes 2009-04-28 01:53 . 2009-04-28 01:53 -------- d-----w c:\program files\Bonjour 2009-04-20 02:20 . 2009-04-20 02:20 -------- d-----w c:\program files\Common Files\DigitalJuice 2009-04-18 02:42 . 2009-04-18 02:42 -------- d-----w c:\documents and settings\LHK\Application Data\NeoDownloader 2009-04-15 14:51 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 14:51 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 14:51 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 14:51 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 14:51 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 14:51 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 14:51 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 14:51 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 14:51 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 14:50 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 14:50 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-29 22:23 . 2007-12-04 11:56 137496 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-29 20:39 . 2007-07-19 23:07 -------- d-----w c:\program files\Trend Micro 2009-04-29 01:18 . 2009-01-09 06:17 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-29 01:14 . 2006-03-12 02:55 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-04-28 12:17 . 2008-08-09 05:26 192512 ----a-w c:\windows\system32\kdfvmgr.exe 2009-04-28 12:17 . 2008-08-09 05:26 726568 ----a-w c:\windows\system32\kdfmgr.exe 2009-04-28 01:55 . 2007-07-09 13:13 -------- d-----w c:\program files\Common Files\Apple 2009-04-20 17:50 . 2006-03-07 22:13 135336 ----a-w c:\documents and settings\Bryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-18 10:20 . 2007-03-26 22:03 -------- d-----w c:\program files\Recuva 2009-04-18 03:03 . 2007-10-17 13:10 135336 ----a-w c:\documents and settings\LHK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-17 18:51 . 2006-03-21 21:34 -------- d-----w c:\program files\CE 2009-04-06 20:32 . 2009-01-09 06:17 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 20:32 . 2009-01-09 06:17 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-25 16:20 . 2009-03-25 16:18 -------- d-----w c:\program files\SweetLight 2009-03-21 22:21 . 2009-03-21 22:18 -------- d-----w c:\program files\ShowXpress 2009-03-19 21:32 . 2008-01-29 17:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-16 11:59 . 2006-03-07 13:19 1324 ----a-w c:\windows\system32\d3d9caps.dat 2009-03-08 12:48 . 2008-04-24 18:15 -------- d-----w c:\program files\Microsoft Silverlight 2009-03-06 14:22 . 2004-08-10 12:00 284160 ------w c:\windows\system32\pdh.dll 2009-03-03 00:18 . 2004-08-10 12:00 826368 ------w c:\windows\system32\wininet.dll 2009-02-20 18:09 . 2004-08-10 12:00 78336 ------w c:\windows\system32\ieencode.dll 2009-02-18 04:09 . 2009-02-18 04:09 16 ----a-w c:\windows\popcinfo.dat 2009-02-09 12:10 . 2004-08-10 12:00 729088 ------w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2004-08-10 12:00 714752 ------w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2004-08-10 12:00 617472 ------w c:\windows\system32\advapi32.dll 2009-02-09 12:10 . 2004-08-10 12:00 401408 ------w c:\windows\system32\rpcss.dll 2009-02-09 11:13 . 2004-08-10 12:00 1846784 ------w c:\windows\system32\win32k.sys 2009-02-08 15:24 . 2009-02-08 15:22 123135 ----a-w c:\windows\HPHins12.dat 2009-02-08 00:02 . 2004-08-03 22:59 2066048 ------w c:\windows\system32\ntkrnlpa.exe 2009-02-06 11:11 . 2004-08-10 12:00 110592 ------w c:\windows\system32\services.exe 2009-02-06 11:08 . 2004-08-10 12:00 2189056 ------w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2004-08-10 12:00 35328 ------w c:\windows\system32\sc.exe 2009-02-03 19:59 . 2004-08-10 12:00 56832 ------w c:\windows\system32\secur32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-09-01 17:17 87352 ------w c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="" [HKLM\~\startupfolder\C:^Documents and Settings^Bryan^Start Menu^Programs^Startup^desktop.ini] path=c:\documents and settings\Bryan\Start Menu\Programs\Startup\desktop.ini backup=c:\windows\pss\desktop.iniStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "btwdins"=2 (0x2) "Adobe Version Cue CS2"=2 (0x2) "Adobe LM Service"=3 (0x3) "VETMSGNT"=2 (0x2) "iPodService"=3 (0x3) "CAISafe"=2 (0x2) "ACT! Scheduler"=2 (0x2) "Brother XP spl Service"=2 (0x2) "hpqwmi"=3 (0x3) "StarWindServiceAE"=2 (0x2) "ose"=3 (0x3) "iPod Service"=3 (0x3) "AcrSch2Svc"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "WLSetupSvc"=3 (0x3) "WinDefend"=2 (0x2) "PortReporter"=3 (0x3) "Apple Mobile Device"=2 (0x2) "winvnc"=2 (0x2) "Maxtor Sync Service"=2 (0x2) "LogMeIn"=2 (0x2) "LMIMaint"=2 (0x2) "hpqwmiex"=2 (0x2) "GameConsoleService"=3 (0x3) "dkab_device"=3 (0x3) "Bonjour Service"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "d:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"= "d:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"= "d:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"= "c:\\WINDOWS\\system32\\DKabcoms.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 Pvds59;Pvds59; [x] R2 LMIInfo;LogMeIn Kernel Information Provider; [x] R3 CyUsb;Ezusb;c:\windows\system32\Drivers\CyUsb.sys [2005-03-03 31104] R3 nuvaudio;NUVision Audio Service;c:\windows\system32\DRIVERS\nuvaudio.sys [2007-11-23 22848] R3 PEEK;PEEK Protocol Driver; [x] R3 rcvpn;SonicWALL VPN Adapter; [x] R3 WLAN(WLAN);XPC 802.11b/g Wireless Kit Driver(WLAN);c:\windows\system32\DRIVERS\zd1211u.sys [2005-08-16 278016] R4 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe [2006-10-21 508824] R4 LMIRfsClientNP;LMIRfsClientNP; [x] R4 PortReporter;Port Reporter;c:\program files\PortReporter\portreporter.exe [2004-03-30 90183] S0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\DRIVERS\snman380.sys [2009-01-12 134272] S0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\system32\DRIVERS\tdrpm174.sys [2009-01-12 971552] S1 GearAspiSys;GearAspiSys;c:\windows\system32\drivers\gearaspisys.sys [2002-06-24 53412] S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-24 47640] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856] S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2007-12-24 52240] S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-11-26 36368] S2 vnccom;vnccom;c:\windows\system32\Drivers\vnccom.SYS [2004-06-26 6016] S3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2005-08-22 231424] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504] S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2008-02-16 333328] S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2009-04-14 488768] S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-02-16 648456] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d1195da-ada2-11da-9660-806d6172696f}] \Shell\AutoRun\command - e:\swsetup\APPINSTL\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffbf6b20-d696-11dd-a48a-0014a528fcd2}] \Shell\AutoRun\command - F:\InstallTomTomHOME.exe . Contents of the 'Scheduled Tasks' folder 2009-04-27 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-05-01 c:\windows\Tasks\User_Feed_Synchronization-{A6D5A285-2278-4F19-B9F1-4856C559677D}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 00:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local IE: &Google Search IE: &Translate English Word IE: Add selected links to Link Container - c:\program files\PixGrabber Free\System\Scripts\off_collector_sel.htm IE: Backward Links IE: Cached Snapshot of Page IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Open all links in new windows - c:\program files\PixGrabber Free\System\Scripts\off_open_all.htm IE: Open selected link(s) in new windows - c:\program files\PixGrabber Free\System\Scripts\off_open_sel.htm IE: Open with Scansoft PDF Converter 3.0 IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Similar Pages IE: Translate Page into English IE: {{D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashb...FDBIDBBFEEHGIBI Trusted Zone: vfcc.edu\elearn FF - ProfilePath - c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\06qb3w9z.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.kidspastor.com/ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-30 23:34 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,b4,ed,a2,a2,42, 3a,4d,4e,e2,63,26,f1,3f,c8,ff,68,6a,4d,85,cf,97,b3,51,97,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,4b,e4,04,f5,e8, d6,f9,07,6a,9c,d6,61,af,45,84,18,e4,f0,03,f6,f1,1a,ea,e3,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,5e,24,cd,92,ff, aa,6d,41,ff,7c,85,e0,43,d4,0e,fe,29,47,2c,81,1a,8c,5e,fe,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,ab,46,32,47,63, fd,06,2f,86,8c,21,01,be,91,eb,e7,eb,20,ec,40,95,51,66,17,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,2f,cd,d8,66,29, c8,b5,8f,f5,1d,4d,73,a8,13,5c,05,ad,d5,3b,ef,80,1f,0c,89,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,ed,25,38,4a,10, 8f,f3,1a,df,20,58,62,78,6b,cf,c8,21,8f,e4,79,72,bd,66,43,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,9a,98,92,41,3b, 7f,70,fb,fb,a7,78,e6,12,2f,9a,ea,3e,27,64,dc,19,52,99,10,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,f1,9e,d3,eb,25, a0,c0,b6,01,3a,48,fc,e8,04,4a,f1,29,ce,c4,f9,35,7b,a0,f1,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,b8,0e,9d,92,17, 5e,46,20,f6,0f,4e,58,98,5b,89,c9,61,dd,d5,12,b1,3c,80,b4,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,4c,59,5b,2d,7a, dc,c4,f1,3d,ce,ea,26,2d,45,aa,78,f7,0b,72,06,b3,f6,d5,8e,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,63,cd,ec,48,b7, 2c,26,c3,2a,b7,cc,b5,b9,7f,41,e7,c5,7b,18,dc,4b,64,70,73,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,3a,d9,04,12,36, d0,77,99,6c,43,2d,1e,aa,22,2f,9c,72,8e,6f,e1,b5,9a,7d,86,6c,43,2d,1e,aa,22,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1548) c:\windows\system32\Ati2evxx.dll c:\windows\system32\LMIinit.dll - - - - - - - > 'explorer.exe'(1108) c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\program files\Trend Micro\TrendSecure\RemoteFileLock\FileLock.dll c:\windows\system32\msi.dll c:\program files\Trend Micro\TrendSecure\RemoteFileLock\FileLockUI.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1801_x-ww_5eed8217\MSVCR80.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\LMIRfsClientNP.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe c:\windows\system32\MsPMSPSv.exe c:\windows\system32\searchindexer.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\dllhost.exe c:\windows\system32\msiexec.exe c:\windows\system32\ati2evxx.exe c:\program files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe c:\program files\Trend Micro\TrendSecure\TSCFCmdrLauncher.exe c:\program files\Trend Micro\Internet Security\SfCtlCom.exe c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe c:\program files\Trend Micro\BM\TMBMSRV.exe c:\windows\system32\searchprotocolhost.exe c:\windows\system32\searchfilterhost.exe . ************************************************************************** . Completion time: 2009-05-01 23:42 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-01 04:42 Pre-Run: 3,796,647,936 bytes free Post-Run: 3,767,169,024 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 368 --- E O F --- 2009-05-01 04:34
  5. I've removed these several times and they keep coming back. Malwarebytes' Anti-Malware 1.36 Database version: 2061 Windows 5.1.2600 Service Pack 3 4/30/2009 11:05:31 AM mbam-log-2009-04-30 (11-05-31).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 367940 Time elapsed: 1 hour(s), 26 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 3 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 10 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Bryan\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lmppcsetup.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot. C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:49:13 PM, on 4/30/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\Internet Security\TMAS_OL\TMAS_OL.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user') O8 - Extra context menu item: Add selected links to Link Container - C:\Program Files\PixGrabber Free\System\Scripts\off_collector_sel.htm O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open all links in new windows - C:\Program Files\PixGrabber Free\System\Scripts\off_open_all.htm O8 - Extra context menu item: Open selected link(s) in new windows - C:\Program Files\PixGrabber Free\System\Scripts\off_open_sel.htm O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashb...FDBIDBBFEEHGIBI (file missing) O9 - Extra 'Tools' menuitem: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashb...FDBIDBBFEEHGIBI (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {410A8B3C-7CCB-40E8-8B11-28B099E5C488} (Trend Micro Security Services Control) - http://tmss.trendmicro.com/Dashboard/contr...TMSSReportW.CAB O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141750018809 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.livinghopechurch.tv/updates/files/lib/XUpload.ocx O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 10520 bytes The HIJACKTHIS was run after the reboot called for by MBAM.
  6. A couple of other symptoms include: SystemRestore only sits there after selecting a restore point and clicking Next; I get an Access Denied error when trying to apply or save changes from MSCONFIG; I have lost the ability to set JPG files as the desktop background; I cannot run regedit or task manager under the originally infected user but can under the administrator login (both users are admins on the local machine). I have checked local policies and don't see anything that would cause this. With over 15 years in Windows OS support and IT admin, I'm comfortable with editing the registry and have deleted several instances of the autochk.dll as well as others. I have yet to find the specific key or file that is causing the files to be recreated. I believe this virus is creating new keys/files on each shutdown that are not identified by MBAM or the other programs. I have run the three programs in Safe Mode as well and still experience the same problem. This one is kicking my tail and I'd appreciate any help I can get.
  7. I've cleaned this several times with MBAM, Trend Micro AV, and Spybot, but it keeps coming back every time I reboot. Here are my log files: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:40:09 PM, on 4/29/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe \?\globalroot\C:\WINDOWS\system32\rundll32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\Bryan\protect.dll,_IWMPEvents@16 O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM') O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user') O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user') O4 - Startup: ChkDisk.dll O4 - Startup: ChkDisk.lnk = ? O8 - Extra context menu item: Add selected links to Link Container - C:\Program Files\PixGrabber Free\System\Scripts\off_collector_sel.htm O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open all links in new windows - C:\Program Files\PixGrabber Free\System\Scripts\off_open_all.htm O8 - Extra context menu item: Open selected link(s) in new windows - C:\Program Files\PixGrabber Free\System\Scripts\off_open_sel.htm O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashb...FDBIDBBFEEHGIBI (file missing) O9 - Extra 'Tools' menuitem: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashb...FDBIDBBFEEHGIBI (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {410A8B3C-7CCB-40E8-8B11-28B099E5C488} (Trend Micro Security Services Control) - http://tmss.trendmicro.com/Dashboard/contr...TMSSReportW.CAB O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141750018809 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.livinghopechurch.tv/updates/files/lib/XUpload.ocx O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 10903 bytes Malwarebytes' Anti-Malware 1.36 Database version: 2058 Windows 5.1.2600 Service Pack 3 4/29/2009 3:46:24 PM mbam-log-2009-04-29 (15-46-24).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 367410 Time elapsed: 1 hour(s), 49 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 3 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 9 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Bryan\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lmppcsetup.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot. C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.