Jump to content

mfc90125

Members
 View Profile  See their activity

  • Posts

    9

  • Joined

  • Last visited

Reputation

0 Neutral
  1. mfc90125
    Good information in your blog - never thought about not running two real-time protection programs at the same time. I still have real-time on Defender turned off, but it looks like I'm running real-time on the new Ad-aware Free Anniversary edition. Do you have a preference as to which one to run? Funny thing happened once I cleaned everything up - I had MWB run a quick scan just for fun and I picked up two more trojans! MWB cleaned them right up, but it looks like I might still have something in here. Is Avast!, Spybot, Defender, and Ad-aware going to be enough, given I picked up two more Trojans? Again, the blog looks great - thanks for everything.
  2. mfc90125
    Things are running a lot better now - removed a couple of items I found in HijackThis which seems to have cleared things, but I haven't reconnected to the web except to upload the log items. Going forward, it looks like I need to re-evaluate how I compute and download on the web. I had thought about the following and wanted to get your opinion: - As a teacher, I'm downloading PDF's from the web all the time - I think I might have found a video file that was the culprit this time. I still need to be able to download files, so I'm thinking of buying a netbook just for this purpose, then running each downloaded file through every spyware checker I have. Then, and only then, would I transfer it to other computers. The netbook would do nothing but download files and surf the Internet. - This virus affected my desktop, which contains all my music and video files. Obviously, I need to do something else to protect these. Any thoughts on this plan? Thanks again, Matt
  3. mfc90125
    Ok, here's the info you requested - MALWARE BYTES LOG: Malwarebytes' Anti-Malware 1.41 Database version: 2866 Windows 5.1.2600 Service Pack 3 (Safe Mode) 9/30/2009 9:37:31 PM mbam-log-2009-09-30 (21-37-31).txt Scan type: Quick Scan Objects scanned: 94071 Time elapsed: 1 minute(s), 27 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) And now the other - HIJACK THIS LOG: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:38:00 PM, on 9/30/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [windows defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [turtle beach riviera] "C:\Program Files\Turtle Beach\Riviera\TBRivieraTray.exe" O4 - HKLM\..\Run: [logmein gui] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ghoststarttrayapp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [d-link airplus xtreme g] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [bcmsmmsg] BCMSMMSG.exe O4 - HKLM\..\Run: [att-sst_mccitrayapp] "C:\Program Files\ATT-SST\McciTrayApp.exe" O4 - HKLM\..\Run: [aniwzcsservice] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe O4 - HKLM\..\Run: [acrobat assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1242549768078 O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 8591 bytes Matt
  4. mfc90125
    Also, was able to shut down Defender as you asked.
  5. mfc90125
    First, the good news: Was able to delete the two items from HijackThis - did that in safe mode because of the bad news The Bad News: I cannot start MalwareBytes or HijackThis any longer in normal mode - now, I am instantly taken to a new program that I've never seen before called Total Security. In addition, my desktop image has been taken over by a red-lettered "WARNING! YOUR'RE IN DANGER (misspelled as well!)" sign pasted across the desktop with a bunch of garbage about emploring me to "protect your boss, your wife, your children" below it. In addition, the Task Manager has been disabled. I have the Internet totally disconnected from the machine so it looks like we're going to have to try something else. Any suggestions? PS - How can I know when you've posted a response? Usually, I have to search for my posting each time I want back in. Also, leaving the computer on is not an option :-) Thanks.
  6. mfc90125
    Ok, here are the files you requested - first is the HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:13:41 PM, on 9/27/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {30911cdf-e3df-4e9f-ab28-8ab999507fbe} - tazabufa.dll (file missing) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [windows defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [turtle beach riviera] "C:\Program Files\Turtle Beach\Riviera\TBRivieraTray.exe" O4 - HKLM\..\Run: [logmein gui] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ghoststarttrayapp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [d-link airplus xtreme g] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [bcmsmmsg] BCMSMMSG.exe O4 - HKLM\..\Run: [att-sst_mccitrayapp] "C:\Program Files\ATT-SST\McciTrayApp.exe" O4 - HKLM\..\Run: [aniwzcsservice] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe O4 - HKLM\..\Run: [acrobat assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1242549768078 O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O20 - AppInit_DLLs: rotesiye.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 9297 bytes And here's the MalwareBytes log: Malwarebytes' Anti-Malware 1.41 Database version: 2866 Windows 5.1.2600 Service Pack 3 (Safe Mode) 9/27/2009 6:08:24 PM mbam-log-2009-09-27 (18-08-24).txt Scan type: Quick Scan Objects scanned: 94083 Time elapsed: 1 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 3 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosomonowe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Login Software 2009 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yjafosi8kdf98winmdkmnkmfnwe (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Schwagmatic!!\Application Data\seres.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Schwagmatic!!\Application Data\svcst.exe (Trojan.Agent) -> Quarantined and deleted successfully. Thanks for your help with this!
  7. mfc90125
    Per the request of this site, I am resubmitting my log files. After running Hijack, I was presented a sscreen with more than 20 different items that Hijack either didn't seem to recognize or thought were infected files. Some of them were Internet start up page settings, others were HKLM commands. Either way none of the files were checked, so I did not delete anything from that screen. In short, MWB's deletions are not surviving the log off process, and the issues reappear. Also, none of my System Restore logs from the previous month survived, so I cannot restore back to a previous version. I am providing information taken from the Administrator user, with the Internet disabled. I am not using my normal admin login, but the overall Administrator login accessed from CTRL-ALT-DEL. In addition, the trojans keep shutting of my Avast and disabling Regedit and Restore on other user accounts. I am running XP SP3. HIJACK THIS LOG FILE: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:56:53 PM, on 9/26/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Turtle Beach\Riviera\TBRivieraTray.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe C:\WINDOWS\Mixer.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\ATT-SST\McciTrayApp.exe C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {30911cdf-e3df-4e9f-ab28-8ab999507fbe} - tazabufa.dll (file missing) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [windows defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [turtle beach riviera] "C:\Program Files\Turtle Beach\Riviera\TBRivieraTray.exe" O4 - HKLM\..\Run: [logmein gui] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ghoststarttrayapp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [d-link airplus xtreme g] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [bcmsmmsg] BCMSMMSG.exe O4 - HKLM\..\Run: [att-sst_mccitrayapp] "C:\Program Files\ATT-SST\McciTrayApp.exe" O4 - HKLM\..\Run: [aniwzcsservice] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe O4 - HKLM\..\Run: [acrobat assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1242549768078 O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O20 - AppInit_DLLs: rotesiye.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 7857 bytes MALWAREBYTES LOG FILE Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 3 9/26/2009 10:16:35 PM mbam-log-2009-09-26 (22-16-35).txt Scan type: Quick Scan Objects scanned: 109702 Time elapsed: 3 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\mlhlsvq.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\ucon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  8. mfc90125
    I have uploaded the following COMBOFIX log for my problem - hope someone can help: ComboFix 09-09-25.01 - Administrator 09/26/2009 15:41.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.725 [GMT -7:00] Running from: c:\documents and settings\Administrator.SCHWAGMATIC.000\Desktop\ComboFix.exe AV: avast! antivirus 4.8.1335 [VPS 090926-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\aoqwlrag.exe c:\documents and settings\Schwagmatic!!\Application Data\inst.exe C:\eopmjm.exe C:\hxlqib.exe C:\pkusq.exe c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1811 c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1858 c:\recycler\S-1-5-21-7419029203-5441445521-653482661-8539 c:\recycler\S-1-5-21-7819628463-4113481920-274928346-1124 c:\windows\system32\a5nhlsvlwo.dll c:\windows\system32\Data c:\windows\system32\drivers\fad.sys c:\windows\system32\drivers\gasfkypgokaadr.sys c:\windows\system32\gasfkyftxaqijw.dll c:\windows\system32\gasfkynilaxrkl.dat c:\windows\system32\gasfkyoaxjmkdn.dat c:\windows\system32\gasfkypinmxtko.dll c:\windows\system32\lebiluro.dll c:\windows\system32\rotesiye.dll c:\windows\system32\wbem\proquota.exe C:\yhjj.exe c:\windows\system32\proquota.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_gasfkydpqeiemx -------\Legacy_gasfkydpqeiemx ((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 ))))))))))))))))))))))))))))))) . 2009-09-26 19:53 . 2009-09-26 19:53 -------- d-----w- c:\documents and settings\Administrator.SCHWAGMATIC.000\Application Data\Malwarebytes 2009-09-26 19:35 . 2009-09-26 19:35 -------- d-sh--w- c:\documents and settings\Administrator.SCHWAGMATIC.000\PrivacIE 2009-09-26 18:36 . 2009-09-26 18:36 -------- d-----w- c:\documents and settings\Administrator.SCHWAGMATIC.000\Local Settings\Application Data\Adobe 2009-09-26 18:36 . 2009-09-26 18:36 -------- d-----w- c:\documents and settings\Administrator.SCHWAGMATIC.000\Local Settings\Application Data\Apple Computer 2009-09-26 18:36 . 2009-09-26 18:36 -------- d-----w- c:\documents and settings\Administrator.SCHWAGMATIC.000\Local Settings\Application Data\LogMeIn 2009-09-26 17:42 . 2009-09-26 17:42 -------- d--h--w- c:\windows\system32\GroupPolicy 2009-09-26 16:35 . 2009-09-26 16:35 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-09-26 16:31 . 2009-09-26 16:31 48640 ----a-w- C:\ucon.exe 2009-09-26 16:31 . 2009-09-26 16:31 103936 ----a-w- C:\wuoti.exe 2009-09-26 16:31 . 2009-09-26 16:31 49152 ----a-w- C:\hiugurwb.exe 2009-09-26 16:28 . 2009-09-26 16:28 48640 ----a-w- C:\mlhlsvq.exe 2009-09-24 02:37 . 2009-09-24 02:37 -------- d-----w- c:\program files\iPod 2009-09-24 02:37 . 2009-09-24 02:38 -------- d-----w- c:\program files\iTunes 2009-09-19 22:33 . 2009-09-26 22:17 -------- d-----w- c:\documents and settings\Schwagmatic!!\Application Data\vlc 2009-09-10 03:36 . 2009-09-10 03:36 -------- d-----w- c:\program files\iPhone Configuration Utility 2009-09-10 03:33 . 2009-09-10 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-10 03:30 . 2009-09-10 03:31 -------- d-----w- c:\program files\QuickTime 2009-09-09 04:40 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll 2009-09-09 01:34 . 2009-09-09 01:34 -------- d-sh--w- c:\documents and settings\Schwagmatic!!\IECompatCache 2009-09-09 00:49 . 2009-09-09 00:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-26 22:09 . 2009-05-17 08:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-26 18:36 . 2007-08-16 03:29 -------- d-----w- c:\program files\Microsoft ActiveSync 2009-09-26 17:25 . 2009-09-26 17:25 76688 ----a-w- c:\documents and settings\Administrator.SCHWAGMATIC.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-26 16:28 . 2009-09-26 16:28 265216 ----a-w- c:\documents and settings\Schwagmatic!!\Application Data\svcst.exe 2009-09-26 16:28 . 2009-09-26 16:28 265216 ----a-w- c:\documents and settings\Schwagmatic!!\Application Data\seres.exe 2009-09-26 15:22 . 2009-05-19 06:36 -------- d-----w- c:\program files\LogMeIn 2009-09-24 02:37 . 2009-05-17 17:33 -------- d-----w- c:\program files\Common Files\Apple 2009-09-22 11:57 . 2009-08-10 22:45 -------- d-----w- c:\documents and settings\Schwagmatic!!\Application Data\Orbit 2009-09-21 03:29 . 2009-07-26 14:34 -------- d-----w- c:\program files\Java 2009-09-20 17:03 . 2009-08-14 18:00 -------- d-----w- c:\program files\Soulseek 2009-09-19 22:27 . 2009-06-15 19:32 -------- d-----w- c:\program files\VLC 2009-09-10 21:54 . 2009-05-17 08:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 21:53 . 2009-05-17 08:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-10 04:26 . 2007-08-21 05:05 -------- d-----w- c:\documents and settings\Schwagmatic!!\Application Data\Apple Computer 2009-09-07 18:10 . 2009-05-19 06:37 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2009-09-07 18:10 . 2009-05-19 06:37 28984 ----a-w- c:\windows\system32\LMIport.dll 2009-09-07 18:10 . 2009-05-19 06:37 87352 ----a-w- c:\windows\system32\LMIinit.dll 2009-09-07 18:10 . 2008-10-17 03:35 11552 ----a-w- c:\windows\system32\lmimirr2.dll 2009-09-07 18:10 . 2008-10-17 03:35 25248 ----a-w- c:\windows\system32\lmimirr.dll 2009-09-06 04:52 . 2009-07-09 01:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-05 17:26 . 2007-08-15 18:49 76688 ----a-w- c:\documents and settings\Schwagmatic!!\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-29 02:42 . 2009-05-17 17:34 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-08-29 02:42 . 2009-05-17 17:34 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-08-18 05:33 . 2009-05-24 05:47 -------- d-----w- c:\program files\ATT-SST 2009-08-17 23:15 . 2007-08-16 02:20 -------- d-----w- c:\documents and settings\Schwagmatic!!\Application Data\U3 2009-08-16 16:31 . 2009-08-16 16:31 717296 ----a-w- c:\windows\system32\drivers\sptd.sys 2009-08-16 16:31 . 2009-08-16 16:31 -------- d-----w- c:\program files\LSoft Technologies 2009-08-16 16:31 . 2007-08-15 20:53 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-14 22:09 . 2009-08-09 00:07 -------- d-----w- c:\documents and settings\Schwagmatic!!\Application Data\WinFF 2009-08-14 15:01 . 2009-08-10 22:45 -------- d-----w- c:\program files\Orbitdownloader 2009-08-10 23:25 . 2009-08-10 23:25 -------- d-----w- c:\documents and settings\Schwagmatic!!\Application Data\GrabPro 2009-08-10 14:58 . 2009-08-09 07:47 -------- d-----w- c:\program files\MediaInfo 2009-08-09 06:36 . 2009-08-09 06:36 -------- d-----w- c:\documents and settings\Schwagmatic!!\Application Data\DivX 2009-08-09 06:35 . 2009-08-09 06:35 -------- d-----w- c:\program files\DivX 2009-08-09 06:35 . 2009-08-09 06:35 -------- d-----w- c:\program files\Common Files\DivX Shared 2009-08-09 00:07 . 2009-08-09 00:07 -------- d-----w- c:\program files\WinFF 2009-08-08 22:49 . 2009-08-08 22:49 -------- d-----w- c:\program files\DownloadToolz 2009-08-05 09:01 . 2001-08-23 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-29 21:25 . 2009-07-29 21:21 -------- d-----w- c:\program files\DSWIN 2009-07-29 21:21 . 2009-07-29 21:21 -------- d-----w- c:\program files\lang 2009-07-29 21:21 . 2009-07-29 21:21 -------- d-----w- c:\program files\docs 2009-07-29 20:52 . 2009-06-15 21:51 -------- d-----w- c:\documents and settings\Schwagmatic!!\Application Data\dvdcss 2009-07-25 12:23 . 2009-07-26 14:34 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-07-17 19:01 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 06:43 . 2007-08-15 18:43 286208 ------w- c:\windows\system32\wmpdxm.dll 2009-07-12 01:27 . 2009-06-02 05:21 47360 ----a-w- c:\documents and settings\Schwagmatic!!\Application Data\pcouffin.sys 2009-07-05 20:36 . 2007-08-15 19:29 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2009-07-03 17:09 . 2001-08-23 12:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-26 16:28 . 2009-06-26 16:28 49152 --sha-w- c:\windows\system32\tazabufa.dll . ------- Sigcheck ------- [7] 2001-08-23 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys c:\windows\system32\drivers\beep.sys ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30911cdf-e3df-4e9f-ab28-8ab999507fbe}] 2009-06-26 16:28 49152 --sha-w- c:\windows\system32\tazabufa.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "windows defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688] "turtle beach riviera"="c:\program files\Turtle Beach\Riviera\TBRivieraTray.exe" [2007-09-06 1613824] "logmein gui"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048] "ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "ghoststarttrayapp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2003-12-17 94208] "d-link airplus xtreme g"="c:\program files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-09-20 2498560] "att-sst_mccitrayapp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856] "aniwzcsservice"="c:\program files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 32768] "acrobat assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560] "C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-16 1818624] "bcmsmmsg"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-8-15 25214] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-09-07 18:10 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Orbitdownloader\\orbitdm.exe"= "c:\\Program Files\\Orbitdownloader\\orbitnet.exe"= "c:\\Program Files\\Soulseek\\slsk.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Alwil Software\\Avast4\\ashServ.exe"= "c:\\Program Files\\Common Files\\Motive\\McciCMService.exe"= "c:\\Program Files\\LogMeIn\\x86\\LMIGuardian.exe"= "c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"= "c:\\Program Files\\Windows Defender\\MSASCui.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/16/2009 11:17 PM 114768] R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [12/17/2003 3:41 PM 5632] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/16/2009 11:17 PM 20560] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [5/18/2009 11:37 PM 47640] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592] S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [9/9/2003 12:12 PM 547744] S3 MTK;Media Technology Kernel Driver;c:\windows\system32\drivers\MTK.SYS [5/21/2009 9:07 PM 14472] S4 LMIRfsClientNP;LMIRfsClientNP; [x] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2009-09-26 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-20 15:14] 2009-09-26 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20] 2009-09-26 c:\windows\Tasks\User_Feed_Synchronization-{88D5A295-EA5F-44F9-BA95-21A7D7E6270F}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31] . - - - - ORPHANS REMOVED - - - - BHO-{a249bc15-23f2-42ad-f4e4-00aac39c0004} - (no file) HKLM-Run-wosomonowe - lebiluro.dll SharedTaskScheduler-ThreadingModel - (no file) MSConfigStartUp-CTFMON - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-26 15:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(676) c:\windows\system32\LMIinit.dll - - - - - - - > 'explorer.exe'(3144) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\LogMeIn\x86\ramaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\windows\system32\wscntfy.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe c:\program files\Adobe\Acrobat 7.0\Distillr\acrodist.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-09-26 15:50 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-26 22:50 Pre-Run: 90,926,940,160 bytes free Post-Run: 91,261,325,312 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 258 --- E O F --- 2009-09-25 00:03
  9. mfc90125
    All, have a nasty set of Trojan viruses on my desktop that I cannot remove. I am running XP SP3 with MalwareBytes Free 1.38 and got infected with the following items: - Backdoor.Bot - Malware.Trace - Hijack.Regedit - Hijack.FolderOptions The problem comes when I try to remove the selected files. I receive an alert that the files have been removed and that I need to restart the system to complete the process. However, doing so does not result in the files being removed. Each time I run MWB I get the same result and requests for action. Your board requires us to download something called COMBOFIX and I was wondering that was safe to do so. Also, does COMBOFIX allow me to fix this problem? I am also looged on with full administrator rights but changing to the real admin (CTRL-ALT-DEL twice to gain that access) results in the same problem. Any advice or suggestions would be appreciated. Thanks, Matt mbam_log_2009_09_26__14_32_40_.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.