Jump to content

Heavus

Honorary Members
  • Posts

    93
  • Joined

  • Last visited

Everything posted by Heavus

  1. Hello, This new schedule is different from the "Automatic" feature of previous versions. I am finding that current users of MBAM who purchased this at my direction, are finding their computer unprotected due to the fact that the automatic updates/scanning are not happening. Every install needs to be touched and updated to allow for "automatic Updates" ? Please advise.
  2. I can help you if needed. I am a Malwarebytes Affiliate. Send me a email, I will respond within 10 mins. Thanks, Mark mark@markheavey.com
  3. Ran a Virus Scan Afterward. Here are three files found. C:\Documents and Settings\Maureen\DoctorWeb\Quarantine\A0071911.exe [DETECTION] Is the TR/Dldr.TSUpdate.P Trojan C:\Documents and Settings\Maureen\DoctorWeb\Quarantine\A0071912.exe [DETECTION] Is the TR/Dldr.TSUpdate.F Trojan C:\Documents and Settings\Maureen\DoctorWeb\Quarantine\A0071913.dll [DETECTION] Contains recognition pattern of the ADSPY/Maxim adware or spyware FULL FILE BELOW Avira AntiVir Personal Report file date: 2009-04-04 09:50 Scanning for 1339172 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : MAUREEN Version information: BUILD.DAT : 9.0.0.387 17962 Bytes 2009-03-24 11:04:00 AVSCAN.EXE : 9.0.3.3 464641 Bytes 2009-02-24 19:13:26 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2009-02-27 17:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2009-02-20 18:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2009-02-27 17:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 2008-10-27 19:30:36 ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2009-02-11 03:33:26 ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 2009-04-01 16:03:09 ANTIVIR3.VDF : 7.1.3.13 57344 Bytes 2009-04-03 16:03:09 Engineversion : 8.2.0.138 AEVDF.DLL : 8.1.1.0 106868 Bytes 2009-01-28 00:36:42 AESCRIPT.DLL : 8.1.1.73 373114 Bytes 2009-04-04 16:03:15 AESCN.DLL : 8.1.1.10 127348 Bytes 2009-04-04 16:03:15 AERDL.DLL : 8.1.1.3 438645 Bytes 2008-10-30 01:24:41 AEPACK.DLL : 8.1.3.12 397687 Bytes 2009-04-04 16:03:14 AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2009-02-27 03:01:56 AEHEUR.DLL : 8.1.0.114 1700214 Bytes 2009-04-04 16:03:13 AEHELP.DLL : 8.1.2.2 119158 Bytes 2009-02-27 03:01:56 AEGEN.DLL : 8.1.1.33 340340 Bytes 2009-04-04 16:03:11 AEEMU.DLL : 8.1.0.9 393588 Bytes 2008-10-09 21:32:40 AECORE.DLL : 8.1.6.7 176502 Bytes 2009-04-04 16:03:10 AEBB.DLL : 8.1.0.3 53618 Bytes 2008-10-09 21:32:40 AVWINLL.DLL : 9.0.0.3 18177 Bytes 2008-12-12 15:47:59 AVPREF.DLL : 9.0.0.1 43777 Bytes 2008-12-05 17:32:15 AVREP.DLL : 8.0.0.3 155905 Bytes 2009-01-20 21:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 2008-12-05 17:32:09 AVARKT.DLL : 9.0.0.1 292609 Bytes 2009-02-09 14:52:24 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 2009-01-30 17:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 2009-01-28 22:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2009-02-02 15:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 2008-12-05 17:32:10 RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2009-02-09 18:45:45 RCTEXT.DLL : 9.0.35.0 87297 Bytes 2009-03-11 22:55:12 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Start of the scan: 2009-04-04 09:50 Starting search for hidden objects. '47507' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'iexplore.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'devldr32.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'LOGI_MWX.EXE' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 25 processes with 25 modules were scanned Starting master boot sector scan: Start scanning boot sectors: Starting to scan executable files (registry). The registry was scanned ( '58' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\Documents and Settings\Maureen\DoctorWeb\Quarantine\A0071911.exe [DETECTION] Is the TR/Dldr.TSUpdate.P Trojan C:\Documents and Settings\Maureen\DoctorWeb\Quarantine\A0071912.exe [DETECTION] Is the TR/Dldr.TSUpdate.F Trojan C:\Documents and Settings\Maureen\DoctorWeb\Quarantine\A0071913.dll [DETECTION] Contains recognition pattern of the ADSPY/Maxim adware or spyware Beginning disinfection: C:\Documents and Settings\Maureen\DoctorWeb\Quarantine\A0071911.exe [DETECTION] Is the TR/Dldr.TSUpdate.P Trojan [NOTE] The file was moved to '4a07b0b5.qua'! C:\Documents and Settings\Maureen\DoctorWeb\Quarantine\A0071912.exe [DETECTION] Is the TR/Dldr.TSUpdate.F Trojan [NOTE] The file was moved to '4b6e9bfe.qua'! C:\Documents and Settings\Maureen\DoctorWeb\Quarantine\A0071913.dll [DETECTION] Contains recognition pattern of the ADSPY/Maxim adware or spyware [NOTE] The file was moved to '4b61a346.qua'! End of the scan: 2009-04-04 12:09 Used time: 56:23 Minute(s) The scan has been done completely. 5016 Scanned directories 252225 Files were scanned 3 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 3 Files were moved to quarantine 0 Files were renamed 1 Files cannot be scanned 252221 Files not concerned 6543 Archives were scanned 1 Warnings 4 Notes 47507 Objects were scanned with rootkit scan 0 Hidden objects were found
  4. Advanced, Here is the latest MBAM and HiJack This after the suggested activities. Thanks. Malwarebytes' Anti-Malware 1.35 Database version: 1939 Windows 5.1.2600 Service Pack 3 4/4/2009 8:20:12 AM mbam-log-2009-04-04 (08-20-12).txt Scan type: Quick Scan Objects scanned: 75789 Time elapsed: 7 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HIJACK Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:00:06 AM, on 4/4/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\Logi_MwX.Exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F25F7A54-E240-4A6D-9FEB-E40FB042199A}: NameServer = 192.168.1.100 O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- End of file - 4448 bytes
  5. Malwarebytes' Anti-Malware 1.35 Database version: 1939 Windows 5.1.2600 Service Pack 3 4/4/2009 7:37:49 AM mbam-log-2009-04-04 (07-37-49).txt Scan type: Quick Scan Objects scanned: 75699 Time elapsed: 6 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  6. Advanced, Sorry to take so long betting back on this. It just finished, was paused waiting for my input. ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Administrator.C600636-A\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;; ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Administrator.C600636-A\Desktop\ComboFix.exe/data002;Program.PsExec.171;; data002;C:\Documents and Settings\Administrator.C600636-A\Desktop;Archive contains infected objects;; ComboFix.exe;C:\Documents and Settings\Administrator.C600636-A\Desktop;Container contains infected objects;Moved.; ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Maureen\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;; ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Maureen\Desktop\ComboFix.exe/data002;Program.PsExec.171;; data002;C:\Documents and Settings\Maureen\Desktop;Archive contains infected objects;; ComboFix.exe;C:\Documents and Settings\Maureen\Desktop;Container contains infected objects;Moved.; ndis.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.NtRootKit.2670;Deleted.; A0068795.bat;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP540;Probably BATCH.Virus;; A0069871.bat;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP541;Probably BATCH.Virus;; A0069873.EXE;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP541;Program.PsExec.170;Moved.; A0070563.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP541;Trojan.Fakealert.4140;Deleted.; A0070577.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP541;Trojan.Fakealert.4140;Deleted.; A0070580.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP541;Trojan.Fakealert.4140;Deleted.; A0070582.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP541;Trojan.Fakealert.4140;Deleted.; A0071907.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Dialer.Siggen.121;Deleted.; A0071908.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.MulDrop.30699;Deleted.; A0071910.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.DownLoader.5289;Deleted.; A0071911.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Adware.TargetServer;Moved.; A0071912.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Adware.TargetServer;Moved.; A0071913.dll;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Adware.TargetServer;Moved.; A0071914.dll;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.Virtumod.1654;Deleted.; A0071915.dll;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.Virtumod.1654;Deleted.; A0071916.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.Inject.5089;Deleted.; A0071917.dll;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.Virtumod.1654;Deleted.; A0071918.dll;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.MulDrop.1565;Deleted.; A0071920.dll;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.Virtumod.1654;Deleted.; A0071921.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.DownLoad.28462;Deleted.; A0071922.dll;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.Virtumod.1654;Deleted.; A0071923.dll;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.Virtumod.1654;Deleted.; A0071925.dll;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.Virtumod.1654;Deleted.; A0071926.dll;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.Virtumod.1654;Deleted.; A0071929.dll;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Trojan.Virtumod.1654;Deleted.; A0071947.bat;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Probably BATCH.Virus;; A0071949.EXE;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP543;Program.PsExec.170;Moved.; A0075950.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP548\A0075950.exe/data002;Probably BATCH.Virus;; A0075950.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP548\A0075950.exe/data002;Program.PsExec.171;; data002;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP548;Archive contains infected objects;; A0075950.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP548;Container contains infected objects;Moved.; A0075958.bat;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP548;Probably BATCH.Virus;; A0076057.bat;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP548;Probably BATCH.Virus;; A0076076.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP549\A0076076.exe/data002;Probably BATCH.Virus;; A0076076.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP549\A0076076.exe/data002;Program.PsExec.171;; data002;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP549;Archive contains infected objects;; A0076076.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP549;Container contains infected objects;Moved.; A0076091.sys;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP549;Trojan.NtRootKit.2670;Deleted.; A0076106.bat;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP549;Probably BATCH.Virus;; A0076108.EXE;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP549;Program.PsExec.170;Moved.; A0076162.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP549;Program.3Proxy.25;Moved.; A0076163.exe\Documents and Settings\User\Desktop\AutoIt\autodl2\proxy\3proxy.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP549\A0076163.exe;Program.3Proxy.25;; A0076163.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP549;Container contains infected objects;Moved.; A0076168.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550\A0076168.exe/data002;Probably BATCH.Virus;; A0076168.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550\A0076168.exe/data002;Program.PsExec.171;; data002;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550;Archive contains infected objects;; A0076168.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550;Container contains infected objects;Moved.; A0076194.bat;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550;Probably BATCH.Virus;; A0076196.EXE;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550;Program.PsExec.170;Moved.; A0076249.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550\A0076249.exe/data002;Probably BATCH.Virus;; A0076249.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550\A0076249.exe/data002;Program.PsExec.171;; data002;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550;Archive contains infected objects;; A0076249.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550;Container contains infected objects;Moved.; A0076250.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550\A0076250.exe/data002;Probably BATCH.Virus;; A0076250.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550\A0076250.exe/data002;Program.PsExec.171;; data002;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550;Archive contains infected objects;; A0076250.exe;C:\System Volume Information\_restore{CEB701B5-D78E-48C8-B460-CD183A0FBEB1}\RP550;Container contains infected objects;Moved.; wmplayer.exe\data008;C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe;BackDoor.Generic.665;; wmplayer.exe\data009;C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe;Trojan.MulDrop.1027;; wmplayer.exe;C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System;Archive contains infected objects;Moved.; ptch238120.exe;C:\WINDOWS\system32;Trojan.Virtumod.1636;Deleted.; vfhr.exe;C:\WINDOWS\system32;Win32.HLLW.Autohit.7089;Incurable.Moved.;
  7. ComboFix 09-04-01.01 - Maureen 2009-04-02 23:20:36.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.254 [GMT -7:00] Running from: c:\documents and settings\Maureen\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Maureen\Desktop\CFscript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) * Created a new restore point FILE :: c:\windows\system32\drivers\238a835a.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_238a835a ((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 ))))))))))))))))))))))))))))))) . 2009-04-02 22:39 . 2009-04-02 22:39 <DIR> d-------- c:\windows\system32\Dell 2009-04-02 22:39 . 2009-04-02 22:39 <DIR> d-------- c:\program files\Dell 2009-04-02 20:25 . 2009-04-02 20:25 <DIR> d-------- c:\program files\Trend Micro 2009-04-02 20:19 . 2008-04-13 10:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys 2009-04-02 20:19 . 2008-04-13 10:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys 2009-03-31 17:32 . 2009-03-31 17:32 <DIR> d-------- c:\windows\system32\KB905474 2009-03-31 17:32 . 2009-03-10 22:26 1,403,264 --a------ c:\windows\system32\KB905474\wganotifypackageinner.exe 2009-03-31 17:32 . 2009-03-10 22:18 453,512 --a------ c:\windows\system32\KB905474\wgasetup.exe 2009-03-31 17:32 . 2009-02-09 18:51 12,490 --a------ c:\windows\system32\KB905474\wga_eula.txt 2009-03-30 18:16 . 2009-03-30 18:16 <DIR> d-------- c:\program files\Avira 2009-03-30 18:16 . 2009-03-30 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira 2009-03-30 18:16 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys 2009-03-30 18:10 . 2009-03-30 18:10 <DIR> d-------- c:\documents and settings\Maureen\Application Data\Yahoo! 2009-03-30 18:09 . 2009-03-31 17:12 <DIR> d-------- c:\program files\Yahoo! 2009-03-30 18:09 . 2009-03-30 18:10 <DIR> d-------- c:\program files\CCleaner 2009-03-30 14:32 . 2009-03-30 14:32 <DIR> d-------- c:\windows\rwko 2009-03-30 14:32 . 2009-03-31 10:58 <DIR> d-------- c:\program files\Common Files\rwko 2009-03-30 14:23 . 2009-03-30 14:23 <DIR> d-------- C:\81e9e0e57f42cfe07c73 2009-03-28 17:01 . 2009-03-28 17:01 <DIR> d-------- c:\documents and settings\Administrator.C600636-A\Application Data\Malwarebytes 2009-03-28 15:32 . 2009-03-28 15:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-28 15:32 . 2009-03-28 15:32 <DIR> d-------- c:\documents and settings\Maureen\Application Data\Malwarebytes 2009-03-28 15:32 . 2009-03-28 15:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-28 15:32 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-28 15:32 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-25 15:06 . 2009-03-25 15:06 2 --a------ C:\675582153 2009-03-24 16:10 . 2009-03-30 14:53 <DIR> d-------- c:\documents and settings\Maureen\Application Data\Messenger 2009-03-23 20:22 . 2009-03-23 20:22 477,266 --a------ c:\windows\system32\vfhr.exe 2009-03-23 16:22 . 2009-03-23 16:22 47,616 --a------ c:\windows\system32\ptch238120.exe 2009-03-23 12:02 . 2005-08-09 16:46 819,200 --a------ c:\windows\system32\rpnvdd2.rra 2009-03-23 12:02 . 2005-08-09 16:46 339,968 --a------ c:\windows\system32\rpnvd95.rra 2009-03-23 12:02 . 2005-02-04 09:08 57,344 --a------ c:\windows\system32\rpnve41.rra 2009-03-23 12:02 . 2000-06-08 13:41 53,248 --a------ c:\windows\system32\mfc497a.rra 2009-03-23 10:54 . 2005-04-07 09:01 59,904 --a------ c:\windows\system32\RIC53HX.EXE 2009-03-23 10:54 . 2005-06-10 02:35 36,864 --a------ c:\windows\system32\RIC53HPI.DLL 2009-03-23 10:52 . 2009-03-30 18:13 <DIR> d-------- c:\windows\NAVITEMP 2009-03-23 10:52 . 2009-03-30 18:13 <DIR> d-------- c:\program files\RMClient 2009-03-23 10:52 . 2009-03-23 10:52 <DIR> d-------- c:\program files\Common Files\RDPrint 2009-03-23 10:42 . 2009-03-30 14:51 <DIR> d-------- c:\documents and settings\Maureen\Application Data\Twain 2009-03-18 14:36 . 2009-03-18 14:36 <DIR> d-------- c:\program files\Avery . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-03 03:46 182,912 ----a-w c:\windows\system32\drivers\ndis.sys 2009-04-01 00:01 --------- d-----w c:\program files\Microsoft Money 2005 2009-04-01 00:01 --------- d-----w c:\program files\Google 2009-04-01 00:00 --------- d-----w c:\program files\Lavasoft 2009-04-01 00:00 --------- d-----w c:\program files\Common Files\Adobe 2009-03-30 20:50 --------- d-----w c:\program files\Common 2009-03-23 17:52 --------- d--h--w c:\program files\InstallShield Installation Information 2009-03-23 17:52 --------- d-----w c:\program files\Common Files\InstallShield 2003-08-27 22:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll 2004-05-14 23:30 12,125 --sha-w c:\windows\system32\Cvx1j.exe 2004-05-03 00:42 8,020 --sha-w c:\windows\system32\UltBua.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2005-08-01 151552] "MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2000-11-04 40960] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "Logitech Utility"="Logi_MwX.Exe" [2003-03-04 c:\windows\LOGI_MWX.EXE] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.I263"= i263_32.drv "aux"= ctwdm32.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Defender\\MSASCui.exe"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-30 108289] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592] R3 hpusbfd;Hewlett-Packard USB Filter Class;c:\windows\system32\drivers\hpusbfd.sys [2003-02-04 7552] S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2006-09-06 16194] S3 NETGEAR_WG311_SERVICE;NETGEAR WG311 Wireless PCI Adapter Service;c:\windows\system32\drivers\wg311nd5.sys [2006-09-06 344448] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4016b2c3-3dcc-11db-938e-0002b3613615}] \Shell\AutoRun\command - G:\LaunchU3.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bf11c83-f523-11dc-94a2-00095b97f94e}] \Shell\AutoRun\command - G:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-04-03 c:\windows\Tasks\A9509ADB918F0C07.job - c:\progra~1\itch2\peak inter safe.exe [] 2009-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] 2009-04-03 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20] 2009-04-03 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [] 2009-04-03 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: {F25F7A54-E240-4A6D-9FEB-E40FB042199A} = 192.168.1.100 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - hxxp://download.divx.com/player/DivXPlayerInstaller.exe . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-02 23:28:26 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\windows\system32\devldr32.exe . ************************************************************************** . Completion time: 2009-04-02 23:32:57 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-03 06:32:53 ComboFix2.txt 2009-04-03 03:55:42 ComboFix3.txt 2009-03-31 23:57:34 ComboFix4.txt 2009-03-30 21:34:20 Pre-Run: 26,828,738,560 bytes free Post-Run: 26,808,651,776 bytes free 160 --- E O F --- 2009-04-03 03:20:39
  8. ComboFix 09-04-01.01 - Maureen 2009-04-02 20:42:24.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.230 [GMT -7:00] Running from: c:\documents and settings\Maureen\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected Restored copy from - c:\windows\$NtServicePackUninstall$\ndis.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BOTDRV -------\Service_botdrv -------\Service_restore ((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 ))))))))))))))))))))))))))))))) . 2009-04-02 20:25 . 2009-04-02 20:25 <DIR> d-------- c:\program files\Trend Micro 2009-04-02 20:19 . 2008-04-13 10:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys 2009-04-02 20:19 . 2008-04-13 10:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys 2009-03-31 17:32 . 2009-03-31 17:32 <DIR> d-------- c:\windows\system32\KB905474 2009-03-31 17:32 . 2009-03-10 22:26 1,403,264 --a------ c:\windows\system32\KB905474\wganotifypackageinner.exe 2009-03-31 17:32 . 2009-03-10 22:18 453,512 --a------ c:\windows\system32\KB905474\wgasetup.exe 2009-03-31 17:32 . 2009-02-09 18:51 12,490 --a------ c:\windows\system32\KB905474\wga_eula.txt 2009-03-30 18:16 . 2009-03-30 18:16 <DIR> d-------- c:\program files\Avira 2009-03-30 18:16 . 2009-03-30 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira 2009-03-30 18:16 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys 2009-03-30 18:10 . 2009-03-30 18:10 <DIR> d-------- c:\documents and settings\Maureen\Application Data\Yahoo! 2009-03-30 18:09 . 2009-03-31 17:12 <DIR> d-------- c:\program files\Yahoo! 2009-03-30 18:09 . 2009-03-30 18:10 <DIR> d-------- c:\program files\CCleaner 2009-03-30 14:32 . 2009-03-30 14:32 <DIR> d-------- c:\windows\rwko 2009-03-30 14:32 . 2009-03-31 10:58 <DIR> d-------- c:\program files\Common Files\rwko 2009-03-30 14:23 . 2009-03-30 14:23 <DIR> d-------- C:\81e9e0e57f42cfe07c73 2009-03-30 02:24 . 2009-03-30 02:24 97,792 --a------ c:\windows\system32\krbclick1.exe 2009-03-28 17:01 . 2009-03-28 17:01 <DIR> d-------- c:\documents and settings\Administrator.C600636-A\Application Data\Malwarebytes 2009-03-28 15:32 . 2009-03-28 15:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-28 15:32 . 2009-03-28 15:32 <DIR> d-------- c:\documents and settings\Maureen\Application Data\Malwarebytes 2009-03-28 15:32 . 2009-03-30 18:20 <DIR> d-------- c:\documents and settings\Maureen\Application Data\digifast 2009-03-28 15:32 . 2009-03-28 15:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-28 15:32 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-28 15:32 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-25 15:06 . 2009-03-25 15:06 2 --a------ C:\675582153 2009-03-24 16:10 . 2009-03-30 14:53 <DIR> d-------- c:\documents and settings\Maureen\Application Data\Messenger 2009-03-24 12:09 . 2009-03-24 12:09 465,874 --a------ c:\windows\system32\config\systemprofile\Application Data\psvrr.exe 2009-03-23 20:22 . 2009-03-23 20:22 477,266 --a------ c:\windows\system32\vfhr.exe 2009-03-23 16:22 . 2009-03-23 16:22 47,616 --a------ c:\windows\system32\ptch238120.exe 2009-03-23 12:02 . 2005-08-09 16:46 819,200 --a------ c:\windows\system32\rpnvdd2.rra 2009-03-23 12:02 . 2005-08-09 16:46 339,968 --a------ c:\windows\system32\rpnvd95.rra 2009-03-23 12:02 . 2005-02-04 09:08 57,344 --a------ c:\windows\system32\rpnve41.rra 2009-03-23 12:02 . 2000-06-08 13:41 53,248 --a------ c:\windows\system32\mfc497a.rra 2009-03-23 10:54 . 2005-04-07 09:01 59,904 --a------ c:\windows\system32\RIC53HX.EXE 2009-03-23 10:54 . 2005-06-10 02:35 36,864 --a------ c:\windows\system32\RIC53HPI.DLL 2009-03-23 10:52 . 2009-03-30 18:13 <DIR> d-------- c:\windows\NAVITEMP 2009-03-23 10:52 . 2009-03-30 18:13 <DIR> d-------- c:\program files\RMClient 2009-03-23 10:52 . 2009-03-23 10:52 <DIR> d-------- c:\program files\Common Files\RDPrint 2009-03-23 10:42 . 2009-03-30 14:51 <DIR> d-------- c:\documents and settings\Maureen\Application Data\Twain 2009-03-18 22:32 . 2009-03-18 21:41 229,376 --a------ c:\windows\system32\config\systemprofile\Application Data\psvr32.exe 2009-03-18 14:36 . 2009-03-18 14:36 <DIR> d-------- c:\program files\Avery . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-03 03:46 182,912 ----a-w c:\windows\system32\drivers\ndis.sys 2009-04-01 00:01 --------- d-----w c:\program files\Microsoft Money 2005 2009-04-01 00:01 --------- d-----w c:\program files\Google 2009-04-01 00:00 --------- d-----w c:\program files\Lavasoft 2009-04-01 00:00 --------- d-----w c:\program files\Common Files\Adobe 2009-03-30 20:50 --------- d-----w c:\program files\Common 2009-03-23 17:52 --------- d--h--w c:\program files\InstallShield Installation Information 2009-03-23 17:52 --------- d-----w c:\program files\Common Files\InstallShield 2003-08-27 22:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll 2004-05-14 23:30 12,125 --sha-w c:\windows\system32\Cvx1j.exe 2004-05-03 00:42 8,020 --sha-w c:\windows\system32\UltBua.exe . ((((((((((((((((((((((((((((( SnapShot@2009-03-30_14.31.45.04 ))))))))))))))))))))))))))))))))))))))))) . - 2004-08-04 06:14:28 182,656 -c----w c:\windows\$NtServicePackUninstall$\ndis.sys + 2004-08-04 06:14:28 182,912 -c----w c:\windows\$NtServicePackUninstall$\ndis.sys + 2009-03-30 21:32:52 2,320 ----a-w c:\windows\rwko\rwko.dat - 2009-03-25 22:06:37 182,656 -c--a-w c:\windows\system32\dllcache\ndis.sys + 2008-04-13 19:20:37 182,656 -c--a-w c:\windows\system32\dllcache\ndis.sys + 2009-02-13 18:17:49 45,416 ----a-w c:\windows\system32\drivers\avgntdd.sys + 2009-02-13 18:29:11 22,360 ----a-w c:\windows\system32\drivers\avgntmgr.sys + 2009-02-13 21:22:54 95,576 ----a-w c:\windows\system32\drivers\avipbb.sys + 2009-02-13 18:50:02 28,376 ----a-w c:\windows\system32\drivers\ssmdrv.sys + 2008-07-29 15:05:06 161,784 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll + 2008-07-29 10:54:08 225,280 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll + 2008-07-29 15:05:08 572,928 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll + 2008-07-29 15:05:08 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll + 2008-07-29 15:05:08 3,768,312 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll + 2008-07-29 15:05:10 3,783,672 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll + 2008-07-29 13:07:42 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll + 2008-07-29 13:07:42 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll + 2008-07-29 15:05:06 38,912 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll + 2008-07-29 15:05:06 39,936 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll + 2008-07-29 15:05:08 66,560 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll + 2008-07-29 15:05:08 56,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll + 2008-07-29 15:05:06 65,024 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll + 2008-07-29 15:05:08 65,024 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll + 2008-07-29 15:05:06 66,048 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll + 2008-07-29 15:05:08 64,512 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll + 2008-07-29 15:05:08 46,592 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll + 2008-07-29 15:05:08 46,080 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll + 2008-07-29 15:05:08 62,976 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll + 2007-11-07 09:19:20 54,272 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2005-08-01 151552] "MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2000-11-04 40960] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "Logitech Utility"="Logi_MwX.Exe" [2003-03-04 c:\windows\LOGI_MWX.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Windows Update Utility"="\\?\globalroot\systemroot\system32\vfhr.exe" [?] "nDler2"="\\?\globalroot\systemroot\system32\nDler2.exe" [?] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.I263"= i263_32.drv "aux"= ctwdm32.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\psvr32.exe"= "c:\\Program Files\\Windows Defender\\MSASCui.exe"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-30 108289] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592] R3 hpusbfd;Hewlett-Packard USB Filter Class;c:\windows\system32\drivers\hpusbfd.sys [2003-02-04 7552] S1 238a835a;238a835a;c:\windows\system32\drivers\238a835a.sys --> c:\windows\system32\drivers\238a835a.sys [?] S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2006-09-06 16194] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-03-28 38496] S3 NETGEAR_WG311_SERVICE;NETGEAR WG311 Wireless PCI Adapter Service;c:\windows\system32\drivers\wg311nd5.sys [2006-09-06 344448] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4016b2c3-3dcc-11db-938e-0002b3613615}] \Shell\AutoRun\command - G:\LaunchU3.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bf11c83-f523-11dc-94a2-00095b97f94e}] \Shell\AutoRun\command - G:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-04-03 c:\windows\Tasks\A9509ADB918F0C07.job - c:\progra~1\itch2\peak inter safe.exe [] 2009-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] 2009-04-03 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20] 2009-04-03 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [] 2009-04-03 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: {F25F7A54-E240-4A6D-9FEB-E40FB042199A} = 192.168.1.100 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - hxxp://download.divx.com/player/DivXPlayerInstaller.exe . . ------- File Associations ------- . inffile=c:\windows\system32\dllcache\notepad.exe %1 inifile=c:\windows\system32\dllcache\notepad.exe %1 . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-02 20:50:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\windows\system32\devldr32.exe . ************************************************************************** . Completion time: 2009-04-02 20:55:40 - machine was rebooted [Maureen] ComboFix-quarantined-files.txt 2009-04-03 03:55:36 ComboFix2.txt 2009-03-31 23:57:34 ComboFix3.txt 2009-03-30 21:34:20 Pre-Run: 26,856,230,912 bytes free Post-Run: 26,841,726,976 bytes free 208 --- E O F --- 2009-04-03 03:20:39
  9. Tough to get rid of for a non profit I am helping. The system look better but not sure if I am out of the woods. I would appreciate any feed back. Thanks. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:25:21 PM, on 4/2/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\Logi_MwX.Exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Windows Update Utility] \\?\globalroot\systemroot\system32\vfhr.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [nDler2] \\?\globalroot\systemroot\system32\nDler2.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Windows Update Utility] \\?\globalroot\systemroot\system32\vfhr.exe (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F25F7A54-E240-4A6D-9FEB-E40FB042199A}: NameServer = 192.168.1.100 O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- End of file - 4757 bytes
  10. All suggested actions were performed. Here is the results of the Avira scan from the boot CD. 70884 scanned files, there was 0 Suspect Files but three alerts. The Alerts were: [ADSPY/Wildtangent.A]/mnt.hda1/windows/wt/webdriver/wtmulti.dll<<contains detection pattern of the AD- or Spyware ADSPY/wildtangent.A [sPR/Wildtangent.B]/mnt/hda1/windows/wt/wtupdates/wtwebdriver/files/3.3.1.001/npwthost.dll<<contains detection pattern of the SPR/wildtangent.B program [ADSPY/wildtangent.A]/mnt/hda1/windows/wt/wtupdates/wtwebdriver/files/3.3.1.001/wtmulti.dll<<Contains detection pattern of teh AD- or spyware ADSPY/wildtangent.A Thanks, Heavus
  11. Here is a full log. Thanks. ComboFix 09-02-10.01 - Mark 2009-02-10 20:33:04.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.240 [GMT -8:00] Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) . ((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 ))))))))))))))))))))))))))))))) . 2009-02-10 19:14 . 2009-02-10 20:14 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser 2009-02-10 16:46 . 2009-02-10 16:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\LogMeIn 2009-02-10 16:46 . 2008-10-16 20:35 87,352 --a------ c:\windows\system32\LMIinit.dll 2009-02-10 16:46 . 2008-10-16 20:35 83,288 --a------ c:\windows\system32\LMIRfsClientNP.dll 2009-02-10 16:46 . 2008-07-24 18:46 47,640 --a------ c:\windows\system32\drivers\LMIRfsDriver.sys 2009-02-10 16:46 . 2008-10-16 20:35 28,984 --a------ c:\windows\system32\LMIport.dll 2009-02-10 16:46 . 2009-02-10 16:46 1,024 --a------ C:\.rnd 2009-02-10 16:45 . 2009-02-10 16:46 <DIR> d-------- c:\program files\LogMeIn 2009-02-10 16:44 . 2009-02-10 16:44 <DIR> d-------- c:\documents and settings\Mark\.java 2009-02-10 14:03 . 2009-02-10 14:03 <DIR> d-------- c:\windows\system32\scripting 2009-02-10 13:49 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys 2009-02-10 13:49 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys 2009-02-10 13:46 . 2006-12-29 00:31 19,569 --a------ c:\windows\005668_.tmp 2009-02-10 07:06 . 2009-02-10 08:29 <DIR> d-------- c:\documents and settings\Mark\DoctorWeb 2009-02-09 23:12 . 2009-02-09 23:12 <DIR> d-------- c:\program files\Avira 2009-02-09 23:12 . 2009-02-09 23:12 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avira 2009-02-09 22:24 . 2009-02-09 22:24 <DIR> d-------- c:\documents and settings\Mark\Application Data\Malwarebytes 2009-02-09 21:52 . 2008-04-14 05:42 1,384,479 --a------ c:\windows\system32\msvbvm60.dll 2009-02-09 21:46 . 2009-02-09 21:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes 2009-02-09 21:46 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-09 21:46 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-09 21:31 . 2009-02-09 21:32 <DIR> d-------- c:\documents and settings\Mark\Application Data\U3 2009-02-09 21:31 . 2009-02-10 12:08 54,156 --ah----- c:\windows\QTFont.qfn 2009-02-09 21:31 . 2009-02-09 21:31 1,409 --a------ c:\windows\QTFont.for 2009-02-09 20:20 . 2009-02-09 20:20 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache 2009-02-09 19:46 . 2009-02-10 16:31 <DIR> d----c--- c:\windows\system32\DRVSTORE 2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d-------- c:\program files\Trend Micro 2009-02-09 19:45 . 2009-02-10 16:31 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft 2009-02-09 16:49 . 2009-02-09 22:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\PrivacIE 2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IETldCache 2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IECompatCache 2009-02-09 16:44 . 2009-02-09 16:44 <DIR> d-------- c:\windows\ie8updates 2009-02-09 16:42 . 2009-02-09 16:43 <DIR> d--h-c--- c:\windows\ie8 2009-02-09 16:40 . 2009-01-10 21:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll 2009-02-09 16:30 . 2009-02-10 16:40 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2009-02-09 16:05 . 2009-02-09 16:22 <DIR> d-------- c:\program files\Yahoo! 2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\program files\CCleaner 2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\documents and settings\Mark\Application Data\Yahoo! 2009-02-09 15:14 . 2009-02-10 20:26 <DIR> d-------- c:\documents and settings\Mark 2009-02-09 15:00 . 2009-02-09 15:00 <DIR> d-------- c:\documents and settings\Administrator 2009-01-15 02:22 . 2009-01-15 02:22 49,152 --------- c:\windows\system32\msrating.dll.mui 2009-01-15 02:21 . 2009-01-15 02:21 2,560 --------- c:\windows\system32\mshta.exe.mui 2009-01-15 02:19 . 2009-01-15 02:19 81,920 --------- c:\windows\system32\iedkcs32.dll.mui 2009-01-15 02:19 . 2009-01-15 02:19 4,096 --------- c:\windows\system32\ie4uinit.exe.mui . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-10 23:13 --------- d-----w c:\program files\Symantec 2009-02-10 23:13 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-02-10 23:13 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Symantec 2009-02-10 20:09 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help 2009-02-10 16:34 --------- d-----w c:\program files\AIM 2009-02-09 23:56 --------- d-----w c:\program files\Google 2009-02-09 23:09 --------- d-----w c:\program files\Common Files\Adobe 2009-01-15 10:05 911,872 ----a-w c:\windows\system32\wininet.dll 2009-01-15 10:05 43,008 ----a-w c:\windows\system32\licmgr10.dll 2009-01-15 10:04 18,944 ----a-w c:\windows\system32\corpol.dll 2009-01-15 10:03 72,704 ----a-w c:\windows\system32\admparse.dll 2009-01-15 10:03 71,680 ----a-w c:\windows\system32\iesetup.dll 2009-01-15 10:03 420,352 ----a-w c:\windows\system32\vbscript.dll 2009-01-15 10:01 34,304 ----a-w c:\windows\system32\imgutil.dll 2009-01-15 10:00 48,128 ----a-w c:\windows\system32\mshtmler.dll 2009-01-15 10:00 45,568 ----a-w c:\windows\system32\mshta.exe 2009-01-15 09:50 156,160 ----a-w c:\windows\system32\msls31.dll 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-07-01 16:51 47,936 ----a-w c:\documents and settings\James.SIGLOXXI\Application Data\GDIPFONTCACHEV1.DAT 2007-08-29 02:19 60,968 -c--a-w c:\documents and settings\James.SIGLOXXI\GoToAssistDownloadHelper.exe 2004-06-23 06:25 2,592,044 -c----w c:\documents and settings\GameSpot DLX Secure Delivery\trillian-v0.74f.exe 2007-03-02 23:05 44,624 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll 2007-03-02 23:05 108,192 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-24 3309568] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-11 185896] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-08-26 389120] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Norton GoBack.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Norton GoBack.lnk backup=c:\windows\pss\Norton GoBack.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Event Reminder.lnk] path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Event Reminder.lnk backup=c:\windows\pss\Event Reminder.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^HotSync Manager.lnk] path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\HotSync Manager.lnk backup=c:\windows\pss\HotSync Manager.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Trillian.lnk] path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Trillian.lnk backup=c:\windows\pss\Trillian.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4] --a--c--- 2006-10-30 15:27 715888 c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2004-03-24 09:04 3309568 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a--c--- 2004-03-24 09:04 46080 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a--c--- 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-01-11 15:49 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] --a--c--- 2004-11-10 20:15 111816 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer] --a--c--- 2002-10-15 18:00 1818624 c:\windows\mixer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a--c--- 2004-03-24 09:04 782336 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-02-10 47640] S4 LMIRfsClientNP;LMIRfsClientNP; [x] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [] . . ------- File Associations ------- . inffile=c:\windows\$NtServicePackUninstall$\notepad.exe %1 inifile=c:\windows\$NtServicePackUninstall$\notepad.exe %1 txtfile=c:\windows\$NtServicePackUninstall$\notepad.exe %1 . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-10 20:34:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-583907252-1177238915-725345543-1005\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(532) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll . Completion time: 2009-02-10 20:36:49 ComboFix-quarantined-files.txt 2009-02-11 04:36:46 ComboFix2.txt 2009-02-11 04:11:22 ComboFix3.txt 2009-02-10 06:16:07 Pre-Run: 13,820,166,144 bytes free Post-Run: 13,805,916,160 bytes free 204 --- E O F --- 2009-02-10 20:12:12
  12. Big File, not able to post all because of size. I installed SP3 and that is reporting lots of files. ComboFix 09-02-10.01 - Mark 2009-02-10 20:06:29.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.279 [GMT -8:00] Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 ))))))))))))))))))))))))))))))) . 2009-02-10 19:14 . 2009-02-10 19:14 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser 2009-02-10 18:25 . 2009-02-10 18:26 1,374 --a------ c:\windows\imsins.BAK 2009-02-10 16:46 . 2009-02-10 16:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\LogMeIn 2009-02-10 16:46 . 2008-10-16 20:35 87,352 --a------ c:\windows\system32\LMIinit.dll 2009-02-10 16:46 . 2008-10-16 20:35 83,288 --a------ c:\windows\system32\LMIRfsClientNP.dll 2009-02-10 16:46 . 2008-07-24 18:46 47,640 --a------ c:\windows\system32\drivers\LMIRfsDriver.sys 2009-02-10 16:46 . 2008-10-16 20:35 28,984 --a------ c:\windows\system32\LMIport.dll 2009-02-10 16:46 . 2009-02-10 16:46 1,024 --a------ C:\.rnd 2009-02-10 16:45 . 2009-02-10 16:46 <DIR> d-------- c:\program files\LogMeIn 2009-02-10 16:44 . 2009-02-10 16:44 <DIR> d-------- c:\documents and settings\Mark\.java 2009-02-10 14:03 . 2009-02-10 14:03 <DIR> d-------- c:\windows\system32\scripting 2009-02-10 13:49 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys 2009-02-10 13:49 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys 2009-02-10 13:46 . 2006-12-29 00:31 19,569 --a------ c:\windows\005668_.tmp 2009-02-10 07:06 . 2009-02-10 08:29 <DIR> d-------- c:\documents and settings\Mark\DoctorWeb 2009-02-09 23:12 . 2009-02-09 23:12 <DIR> d-------- c:\program files\Avira 2009-02-09 23:12 . 2009-02-09 23:12 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avira 2009-02-09 22:24 . 2009-02-09 22:24 <DIR> d-------- c:\documents and settings\Mark\Application Data\Malwarebytes 2009-02-09 22:00 . 2009-02-09 22:16 <DIR> d-------- C:\aaaads 2009-02-09 21:52 . 2008-04-14 05:42 1,384,479 --a------ c:\windows\system32\msvbvm60.dll 2009-02-09 21:46 . 2009-02-09 21:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes 2009-02-09 21:46 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-09 21:46 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-09 21:31 . 2009-02-09 21:32 <DIR> d-------- c:\documents and settings\Mark\Application Data\U3 2009-02-09 21:31 . 2009-02-10 12:08 54,156 --ah----- c:\windows\QTFont.qfn 2009-02-09 21:31 . 2009-02-09 21:31 1,409 --a------ c:\windows\QTFont.for 2009-02-09 20:20 . 2009-02-09 20:20 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache 2009-02-09 19:46 . 2009-02-10 16:31 <DIR> d----c--- c:\windows\system32\DRVSTORE 2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d-------- c:\program files\Trend Micro 2009-02-09 19:45 . 2009-02-10 16:31 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft 2009-02-09 16:49 . 2009-02-09 22:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\PrivacIE 2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IETldCache 2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IECompatCache 2009-02-09 16:44 . 2009-02-09 16:44 <DIR> d-------- c:\windows\ie8updates 2009-02-09 16:42 . 2009-02-09 16:43 <DIR> d--h-c--- c:\windows\ie8 2009-02-09 16:40 . 2009-01-10 21:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll 2009-02-09 16:30 . 2009-02-10 16:40 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2009-02-09 16:05 . 2009-02-09 16:22 <DIR> d-------- c:\program files\Yahoo! 2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\program files\CCleaner 2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\documents and settings\Mark\Application Data\Yahoo! 2009-02-09 15:14 . 2009-02-10 16:47 <DIR> d-------- c:\documents and settings\Mark 2009-02-09 15:00 . 2009-02-09 15:00 <DIR> d-------- c:\documents and settings\Administrator 2009-01-15 02:22 . 2009-01-15 02:22 49,152 --------- c:\windows\system32\msrating.dll.mui 2009-01-15 02:21 . 2009-01-15 02:21 2,560 --------- c:\windows\system32\mshta.exe.mui 2009-01-15 02:19 . 2009-01-15 02:19 81,920 --------- c:\windows\system32\iedkcs32.dll.mui 2009-01-15 02:19 . 2009-01-15 02:19 4,096 --------- c:\windows\system32\ie4uinit.exe.mui . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-10 23:13 --------- d-----w c:\program files\Symantec 2009-02-10 23:13 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-02-10 23:13 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Symantec 2009-02-10 20:09 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help 2009-02-10 16:34 --------- d-----w c:\program files\AIM 2009-02-09 23:56 --------- d-----w c:\program files\Google 2009-02-09 23:09 --------- d-----w c:\program files\Common Files\Adobe 2009-01-15 10:05 911,872 ----a-w c:\windows\system32\wininet.dll 2009-01-15 10:05 43,008 ----a-w c:\windows\system32\licmgr10.dll 2009-01-15 10:04 18,944 ----a-w c:\windows\system32\corpol.dll 2009-01-15 10:03 72,704 ----a-w c:\windows\system32\admparse.dll 2009-01-15 10:03 71,680 ----a-w c:\windows\system32\iesetup.dll 2009-01-15 10:03 420,352 ----a-w c:\windows\system32\vbscript.dll 2009-01-15 10:01 34,304 ----a-w c:\windows\system32\imgutil.dll 2009-01-15 10:00 48,128 ----a-w c:\windows\system32\mshtmler.dll 2009-01-15 10:00 45,568 ----a-w c:\windows\system32\mshta.exe 2009-01-15 09:50 156,160 ----a-w c:\windows\system32\msls31.dll 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-07-01 16:51 47,936 ----a-w c:\documents and settings\James.SIGLOXXI\Application Data\GDIPFONTCACHEV1.DAT 2007-08-29 02:19 60,968 -c--a-w c:\documents and settings\James.SIGLOXXI\GoToAssistDownloadHelper.exe 2004-06-23 06:25 2,592,044 -c----w c:\documents and settings\GameSpot DLX Secure Delivery\trillian-v0.74f.exe 2007-03-02 23:05 44,624 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll 2007-03-02 23:05 108,192 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-24 3309568] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-11 185896] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-08-26 389120] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Norton GoBack.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Norton GoBack.lnk backup=c:\windows\pss\Norton GoBack.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Event Reminder.lnk] path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Event Reminder.lnk backup=c:\windows\pss\Event Reminder.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^HotSync Manager.lnk] path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\HotSync Manager.lnk backup=c:\windows\pss\HotSync Manager.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Trillian.lnk] path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Trillian.lnk backup=c:\windows\pss\Trillian.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4] --a--c--- 2006-10-30 15:27 715888 c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2004-03-24 09:04 3309568 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a--c--- 2004-03-24 09:04 46080 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a--c--- 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-01-11 15:49 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] --a--c--- 2004-11-10 20:15 111816 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer] --a--c--- 2002-10-15 18:00 1818624 c:\windows\mixer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a--c--- 2004-03-24 09:04 782336 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-02-10 47640] S4 LMIRfsClientNP;LMIRfsClientNP; [x] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c960721-f6ff-11dd-9bce-0002e315c848}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe . ------- File Associations ------- . inffile=c:\windows\$NtServicePackUninstall$\notepad.exe %1 inifile=c:\windows\$NtServicePackUninstall$\notepad.exe %1 txtfile=c:\windows\$NtServicePackUninstall$\notepad.exe %1 . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-10 20:09:04 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-583907252-1177238915-725345543-1005\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(532) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll . Completion time: 2009-02-10 20:11:20 ComboFix-quarantined-files.txt 2009-02-11 04:11:09 ComboFix2.txt 2009-02-10 06:16:07 Pre-Run: 13,752,733,696 bytes free Post-Run: 13,811,126,272 bytes free 8758 --- E O F --- 2009-02-10 20:12:12 .
  13. Here is the new HijackThis log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:06:57 PM, on 2/10/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\SoftwareDistribution\Download\e32e42b86ada41fe0c947743c71f222c\update\update.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O1 - Hosts: 195.245.119.131 browser-security.microsoft.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing) O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file) O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/286a644bb2b950...ip/RdxIE601.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201991127919 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 8850 bytes
  14. Here is the DRWeb scan. In this case aaads.exe is a renamed combofix.exe. Thanks. realbar.dll;c:\program files\common files\real\toolbar;Adware.MegaSearch;Incurable.Deleted.; aaaads.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Mark\Desktop\aaaads.exe/data002;Program.PsExec.171;; data002;C:\Documents and Settings\Mark\Desktop;Archive contains infected objects;; aaaads.exe;C:\Documents and Settings\Mark\Desktop;Container contains infected objects;Moved.; aim95.exe\data037;C:\Program Files\AIM\aim95.exe;Adware.Aws;; aim95.exe;C:\Program Files\AIM;Archive contains infected objects;Moved.; WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;; A0109165.exe/data004\cd_clint.dll;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP629\A0109165.exe/data004;Adware.Cydoor;; A0109165.exe/data004\cd_htm.dll;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP629\A0109165.exe/data004;Adware.Cydoor;; data004;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP629;Archive contains infected objects;; A0109165.exe;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP629;Archive contains infected objects;Moved.; A0109536.dll;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP630;Adware.MegaSearch;; A0109538.exe\data037;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP630\A0109538.exe;Adware.Aws;; A0109538.exe;C:\System Volume Information\_restore{DCD4C022-F0AC-482A-8312-560994F5A011}\RP630;Archive contains infected objects;Moved.;
  15. Ststem now operating and able to access sites I was not able to get ot before. especially Malwarebytes.org and other security site that were shut down. Have some more clean up to do but I thought I would share this information. Thanks. Heavus
  16. New HIJACK THis Scan Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:09:26 PM, on 2/9/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O1 - Hosts: 195.245.119.131 browser-security.microsoft.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing) O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file) O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/286a644bb2b950...ip/RdxIE601.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201991127919 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 8376 bytes
  17. Malware log Malwarebytes' Anti-Malware 1.33 Database version: 1742 Windows 5.1.2600 Service Pack 2 2/9/2009 10:52:59 PM mbam-log-2009-02-09 (22-52-59).txt Scan type: Quick Scan Objects scanned: 69399 Time elapsed: 4 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  18. Here is the Combfix. I was able to run after reloading the msvbvm60.dll in c:\windows\system32 per the instruction from Rubber Ducky in a old post. ComboFix 09-02-08.02 - Mark 2009-02-09 22:09:44.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.268 [GMT -8:00] Running from: c:\documents and settings\Mark\Desktop\aaaads.exe Command switches used :: c:\documents and settings\Mark\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe AV: Norton Internet Security *On-access scanning disabled* (Outdated) FW: Norton Internet Security *enabled* . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Internet Explorer.lnk c:\program files\Dynamic Toolbar c:\program files\Dynamic Toolbar\REALBAR\Cache\bubble.bmp c:\program files\Dynamic Toolbar\REALBAR\Cache\bubble16.bmp c:\program files\Dynamic Toolbar\REALBAR\Cache\celebs.bmp c:\program files\Dynamic Toolbar\REALBAR\Cache\gotb.bmp c:\program files\Dynamic Toolbar\REALBAR\Cache\highlight.bmp c:\program files\Dynamic Toolbar\REALBAR\Cache\hotstuff.bmp c:\program files\Dynamic Toolbar\REALBAR\Cache\hotstuffsm.bmp c:\program files\Dynamic Toolbar\REALBAR\Cache\movies.bmp c:\program files\Dynamic Toolbar\REALBAR\Cache\music.bmp c:\program files\Dynamic Toolbar\REALBAR\Cache\news.bmp c:\program files\Dynamic Toolbar\REALBAR\Cache\ngames.bmp c:\program files\Dynamic Toolbar\REALBAR\Cache\radio.bmp c:\program files\Dynamic Toolbar\REALBAR\Cache\REALBARTB0115.cfg c:\program files\Dynamic Toolbar\REALBAR\Cache\REALBARTB1115.cfg c:\program files\Dynamic Toolbar\REALBAR\Cache\sports.bmp c:\program files\newdotnet c:\program files\newdotnet\readme.txt c:\windows\smdat32a.sys c:\windows\smdat32m.sys c:\windows\system32\digeste.dll c:\windows\system32\drivers\TDSSmhxt.sys c:\windows\system32\iehelper.dll c:\windows\system32\TDSScfum.dll c:\windows\system32\TDSSfxwp.dll c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSnrsr.dll c:\windows\system32\TDSSofxh.dll c:\windows\system32\TDSSosvd.dat c:\windows\system32\TDSSrhym.log c:\windows\system32\TDSSriqp.dll c:\windows\system32\TDSSsbhc.dll c:\windows\system32\TDSStkdv.log c:\windows\system32\wpv671233854729.cpx . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSserv.sys -------\Legacy_TDSSserv.sys ((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 ))))))))))))))))))))))))))))))) . 2009-02-09 21:52 . 2004-08-04 00:56 1,392,671 --a------ c:\windows\system32\msvbvm60.dll 2009-02-09 21:46 . 2009-02-09 21:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes 2009-02-09 21:46 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-09 21:46 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-09 21:31 . 2009-02-09 21:32 <DIR> d-------- c:\documents and settings\Mark\Application Data\U3 2009-02-09 21:31 . 2009-02-09 21:31 54,156 --ah----- c:\windows\QTFont.qfn 2009-02-09 21:31 . 2009-02-09 21:31 1,409 --a------ c:\windows\QTFont.for 2009-02-09 20:20 . 2009-02-09 20:20 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache 2009-02-09 20:07 . 2009-01-18 13:35 15,688 --a------ c:\windows\system32\lsdelete.exe 2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d----c--- c:\windows\system32\DRVSTORE 2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d-------- c:\program files\Trend Micro 2009-02-09 19:46 . 2009-02-09 19:46 <DIR> d--h-c--- c:\documents and settings\All Users.WINDOWS\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800} 2009-02-09 19:46 . 2009-01-18 13:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys 2009-02-09 19:45 . 2009-02-09 19:45 <DIR> d-------- c:\program files\Lavasoft 2009-02-09 19:45 . 2009-02-09 19:45 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft 2009-02-09 16:49 . 2009-02-09 21:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\PrivacIE 2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IETldCache 2009-02-09 16:47 . 2009-02-09 16:47 <DIR> d--hs---- c:\documents and settings\Mark\IECompatCache 2009-02-09 16:44 . 2009-02-09 16:44 <DIR> d-------- c:\windows\ie8updates 2009-02-09 16:43 . 2009-02-09 16:43 1,355 --a------ c:\windows\imsins.BAK 2009-02-09 16:42 . 2009-02-09 16:43 <DIR> d--h-c--- c:\windows\ie8 2009-02-09 16:40 . 2009-01-10 21:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll 2009-02-09 16:30 . 2009-02-09 16:30 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-02-09 16:30 . 2009-02-09 16:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2009-02-09 16:05 . 2009-02-09 16:22 <DIR> d-------- c:\program files\Yahoo! 2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\program files\CCleaner 2009-02-09 16:05 . 2009-02-09 16:05 <DIR> d-------- c:\documents and settings\Mark\Application Data\Yahoo! 2009-02-09 15:14 . 2009-02-09 16:47 <DIR> d-------- c:\documents and settings\Mark 2009-02-09 15:00 . 2009-02-09 15:00 <DIR> d-------- c:\documents and settings\Administrator 2009-02-07 15:39 . 2009-02-07 15:39 362,504 --a------ c:\windows\sysguard.exe 2009-01-15 02:22 . 2009-01-15 02:22 49,152 --------- c:\windows\system32\msrating.dll.mui 2009-01-15 02:21 . 2009-01-15 02:21 2,560 --------- c:\windows\system32\mshta.exe.mui 2009-01-15 02:19 . 2009-01-15 02:19 81,920 --------- c:\windows\system32\iedkcs32.dll.mui 2009-01-15 02:19 . 2009-01-15 02:19 4,096 --------- c:\windows\system32\ie4uinit.exe.mui . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-10 06:08 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-02-09 23:56 --------- d-----w c:\program files\Google 2009-02-09 23:55 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Symantec 2009-02-09 23:54 --------- d-----w c:\program files\Symantec 2009-02-09 23:52 --------- d-----w c:\program files\Norton Internet Security 2009-02-09 23:09 --------- d-----w c:\program files\Common Files\Adobe 2009-01-30 03:49 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help 2009-01-15 10:05 911,872 ----a-w c:\windows\system32\wininet.dll 2009-01-15 10:05 43,008 ----a-w c:\windows\system32\licmgr10.dll 2009-01-15 10:04 18,944 ----a-w c:\windows\system32\corpol.dll 2009-01-15 10:03 72,704 ----a-w c:\windows\system32\admparse.dll 2009-01-15 10:03 71,680 ----a-w c:\windows\system32\iesetup.dll 2009-01-15 10:03 420,352 ----a-w c:\windows\system32\vbscript.dll 2009-01-15 10:01 34,304 ----a-w c:\windows\system32\imgutil.dll 2009-01-15 10:00 48,128 ----a-w c:\windows\system32\mshtmler.dll 2009-01-15 10:00 45,568 ----a-w c:\windows\system32\mshta.exe 2009-01-15 09:50 156,160 ----a-w c:\windows\system32\msls31.dll 2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys 2008-07-01 16:51 47,936 ----a-w c:\documents and settings\James.SIGLOXXI\Application Data\GDIPFONTCACHEV1.DAT 2007-08-29 02:19 60,968 -c--a-w c:\documents and settings\James.SIGLOXXI\GoToAssistDownloadHelper.exe 2004-06-23 06:25 2,592,044 -c----w c:\documents and settings\GameSpot DLX Secure Delivery\trillian-v0.74f.exe 2007-03-02 23:05 44,624 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll 2007-03-02 23:05 108,192 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-24 3309568] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-11 185896] "osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-01-13 771704] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712] c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-08-26 389120] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Norton GoBack.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Norton GoBack.lnk backup=c:\windows\pss\Norton GoBack.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Event Reminder.lnk] path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Event Reminder.lnk backup=c:\windows\pss\Event Reminder.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^HotSync Manager.lnk] path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\HotSync Manager.lnk backup=c:\windows\pss\HotSync Manager.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^James.SIGLOXXI^Start Menu^Programs^Startup^Trillian.lnk] path=c:\documents and settings\James.SIGLOXXI\Start Menu\Programs\Startup\Trillian.lnk backup=c:\windows\pss\Trillian.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 2007-01-09 21:59 115816 c:\program files\Common Files\Symantec Shared\CCAPP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-03 23:56 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4] --a--c--- 2006-10-30 15:27 715888 c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2004-03-24 09:04 3309568 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a--c--- 2004-03-24 09:04 46080 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a--c--- 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-01-11 15:49 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] --a--c--- 2004-11-10 20:15 111816 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer] --a--c--- 2002-10-15 18:00 1818624 c:\windows\mixer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a--c--- 2004-03-24 09:04 782336 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-09 64160] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-01-24 109616] --- Other Services/Drivers In Memory --- *NewlyCreated* - COMHOST [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c960721-f6ff-11dd-9bce-0002e315c848}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 13:34] . - - - - ORPHANS REMOVED - - - - BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - c:\windows\system32\iehelper.dll MSConfigStartUp-bnmpntwd - c:\windows\System32\bnmpntwd.exe MSConfigStartUp-dbmsrpcn - c:\windows\System32\dbmsrpcn.exe MSConfigStartUp-kdx - c:\windows\kdx\KHost.exe MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.EXE MSConfigStartUp-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll MSConfigStartUp-winpack - c:\windows\System32\winpack.exe MSConfigStartUp-xflogt - c:\windows\System32\xflogt.exe . ------- Supplementary Scan ------- . DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/286a644bb2b950c03e06/netzip/RdxIE601.cab . . ------- File Associations ------- . inffile=c:\windows\$NtServicePackUninstall$\notepad.exe %1 inifile=c:\windows\$NtServicePackUninstall$\notepad.exe %1 txtfile=c:\windows\$NtServicePackUninstall$\notepad.exe %1 . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-09 22:13:44 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-583907252-1177238915-725345543-1005\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . Completion time: 2009-02-09 22:16:05 ComboFix-quarantined-files.txt 2009-02-10 06:16:02 Pre-Run: 11,081,216,000 bytes free Post-Run: 12,938,657,792 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 261 --- E O F --- 2009-01-30 03:49:50
  19. Here is my HiJackThis scan. No Malwarebytes, will not run in safe mode or normal even renamed. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:53:55 PM, on 2/9/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Mark\Application Data\U3\43236116A24100A6\285E6953-BF3C-4445-9376-3FE5D7F645B2\Exec\bin\SignupShield.exe C:\Documents and Settings\Mark\Application Data\U3\43236116A24100A6\LaunchPad.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Mark\Desktop\Mark.exe C:\DOCUME~1\Mark\LOCALS~1\Temp\is-I6FDB.tmp\Mark.tmp C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O1 - Hosts: 195.245.119.131 browser-security.microsoft.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing) O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file) O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/286a644bb2b950...ip/RdxIE601.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201991127919 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 9043 bytes This may be from the following web site and the following program. Not sure, first time I have seen this, please post your comments. Program: MightyRegistry_Setup.exe Domain name: updates-easy.com Administrative Contact: Whois Privacy Protection Service, Inc. Whois Agent (kxktfvrv@whoisprivacyprotect.com) +1.4252740657 Fax: +1.4256960234 PMB 368, 14150 NE 20th St - F1 C/O updates-easy.com Bellevue, WA 98007 US Technical Contact: Whois Privacy Protection Service, Inc. Whois Agent (kxktfvrv@whoisprivacyprotect.com) +1.4252740657 Fax: +1.4256960234 PMB 368, 14150 NE 20th St - F1 C/O updates-easy.com Bellevue, WA 98007 US
  20. Automatic Update is now working 8/23. Here is the san. Settings are for 11Am on my computer but as you can see in the scan, the time is 2AM, not a big deal to me godd to have it working. Thanks to all who posted. MH Malwarebytes' Anti-Malware 1.25 Database version: 1078 Windows 5.1.2600 Service Pack 3 2:08:03 AM 8/23/2008 mbam-log-08-23-2008 (02-08-03).txt Scan type: Quick Scan Objects scanned: 52967 Time elapsed: 7 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  21. Thanks for the post. My scan did not run but there was a Macafee scan running not sure if that made any diff, set another at 9Am my time to see what happens. Thanks for the input. MH
  22. Jean, OK, I set the MBAM service to interact with the desktop and the update ran. I guess the default is unchecked which would make sence since it was run as a non subscription app first. I saw it flash across the screen. I have now set the scan to run next at 9PM and will post the results here. Thanks, MH
  23. Jean, I just set the updates for 6Pm and sat a watched, no updates. Ver 1.25 1075. I then did a manual update 10 1076. Thanks, MH
  24. Jean, It was 1.24 version but now 1.25. I know it is not updating because the version was 105X or so and the current version was 107X last night. I have changed the times to this evening and I will watch it to see if it is still a problem. Thanks, MH
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.