Jump to content

computerisbusted

Honorary Members
  • Posts

    29
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Hi Screen, I was wondering, if I decided to reinstall XP, can you recommend a good, easy guide online that will explain what I should do in order to partition my hard drive, and reinstall XP? Thanks again for everything.
  2. Hi Screen, At the moment, it's in my quarantine. Should I actually restore it? Is it safe for me to do so? Thanks again for all of your help!
  3. Hi Screen, I forgot to mention, but MBAB did end up picking up some infected files (not just registry values). In particular, C:\Documents and Settings\user\Local Settings\Temp\D.tmp\edS.exe (Trojan.Agent) seemed like it could be something. It's sitting in my quarantine at the moment. My internet still has a tendency to drop out and the problems with the network are still intermittent. Is there any additional action I should take, in light of the edS.exe file? I've posted the relevant MBAM logfile below. Thanks for everything. Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4009 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.11 20/04/2010 11:23:56 AM mbam-log-2010-04-20 (11-23-56).txt Scan type: Quick scan Objects scanned: 132787 Time elapsed: 12 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\user\Desktop\Defogger.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\user\Local Settings\Temp\D.tmp\edS.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\sed.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  4. I quarantined my sed.exe when it scanned positive; should I restore it?
  5. Hi Screen, Thanks again for everything. Yes, those folders are still there. Looks like I should see if anyone from the uni can help. Thanks again!
  6. Hi Screen, 1. I uninstalled the programs you recommended, but when I went to uninstall * Lotus Notes The uninstaller said something like "gathering required information" and the progress bar came to a standstill. After about an hour, I ended the unistall process, to try it again, but now there is no longer an option in Add/Remove Programs to remove Lotus Notes. There are still lots of files and sub-directories in c:\IBM\Lotus\Notes ** Should I delete those files? Also, while I was trying to install, Comodo Firewall kept telling me that notes2w.exe was trying to connect to something. This is was it said: "C:\Program files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.j2se.win32.x86_1.6.0.20080709-200808010926\jre\bin\notes2w.exe was trying to access: RPC Control\DNSResolver" 2. After installing the latest Java, I updated and ran MBAM. I've posted the log below. 3. I've run DDS again, and posted DDS.txt beneath the MBAM log, and I've attached the attach.txt Thanks again so much for all of your help! Attach_15_April_2010.txt *********** MBAM Log *********** Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3989 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.11 15/04/2010 3:55:12 PM mbam-log-2010-04-15 (15-55-12).txt Scan type: Quick scan Objects scanned: 131612 Time elapsed: 8 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 3 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\1 (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrol panel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) *********** DDS Log *********** DDS (Ver_10-03-17.01) - NTFSx86 Run by user at 16:04:09.34 on Thu 15/04/2010 Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.205 [GMT 10:00] AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe C:\WINDOWS\System32\svchost.exe -k eapsvcs svchost.exe C:\WINDOWS\System32\svchost.exe -k dot3svc C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\Program Files\VMware\VMware Player\vmware-authd.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\WINDOWS\system32\NWTRAY.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\VMware\VMware Player\hqtray.exe C:\WINDOWS\system32\dpmw32.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe C:\Program Files\RSIGuard\RSIGuard.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\user\Desktop\dds.scr ============== Pseudo HJT Report =============== uWindow Title = Microsoft Internet Explorer provided by Griffith University uStart Page = hxxp://www.griffith.edu.au/ uDefault_Page_URL = hxxp://www.griffith.edu.au/ uSearch Bar = hxxp://www.griffith.edu.au/find mDefault_Page_URL = hxxp://www.griffith.edu.au/ uInternet Settings,ProxyOverride = <local> BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe" uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [ZenWorks Nalview] c:\program files\novell\zenworks\Nalview.exe /NS mRun: [NWTRAY] NWTRAY.EXE mRun: [DeskTag] c:\windows\tag.vbs mRun: [sOEFixer] c:\program files\griffith\soefixer\SOEFixer.exe mRun: [NetcheckOff] c:\windows\nc-off.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe" mRun: [NDPS] c:\windows\system32\dpmw32.exe mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nmpsys~1.lnk - c:\program files\cassetica\cassetica notesmedic pro\NMPSystray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rsigua~1.lnk - c:\program files\rsiguard\RSIGuard.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico uPolicies-explorer: NoWindowsUpdate = 1 (0x1) uPolicies-explorer: MaxRecentDocs = 10 (0xa) uPolicies-explorer: NoThumbnailCache = 1 (0x1) uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1) uPolicies-explorer: NoSMBalloonTip = 1 (0x1) uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1) uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1) uPolicies-explorer: DisablePersonalDirChange = 1 (0x1) uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) uPolicies-explorer: DisallowCpl = 1 (0x1) uPolicies-explorer: NoAutoUpdate = 1 (0x1) uPolicies-explorer: NoPublishingWizard = 1 (0x1) uPolicies-explorer: DisallowRun = 1 (0x1) uPolicies-disallowrun: 1 = wbsamp.exe uPolicies-disallowrun: 2 = webshots.exe uPolicies-disallowrun: 3 = webshots.scr uPolicies-system: HideLogonScripts = 0 (0x0) uPolicies-system: DisableChangePassword = 1 (0x1) mPolicies-explorer: NoDisconnect = 1 (0x1) mPolicies-explorer: NoNTSecurity = 1 (0x1) mPolicies-explorer: NoWelcomeScreen = 1 (0x1) mPolicies-explorer: NoPublishingWizard = 1 (0x1) mPolicies-explorer: NoWebServices = 1 (0x1) mPolicies-system: CompatibleRUPSecurity = 1 (0x1) mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0) mPolicies-system: DisableBkGndGroupPolicy = 1 (0x1) mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0) mPolicies-system: HideShutdownScripts = 0 (0x0) mPolicies-system: LogonType = 0 (0x0) IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201 IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204 IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203 IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202 IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000 IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll LSP: c:\program files\vmware\vmware player\vsocklib.dll Trusted Zone: griffith.edu.au Trusted Zone: gu.edu.au DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?119196 5776190 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?119196 5762450 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab TCP: {04D21817-5A95-4A14-BFB8-4E3CF8EAE221} = 156.154.70.22,156.154.71.22 TCP: {DB161889-6A3F-40F8-9996-42E96BD5D24A} = 156.154.70.22,156.154.71.22 Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL Notify: AtiExtEvent - Ati2evxx.dll Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll AppInit_DLLs: c:\windows\system32\guard32.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL LSA: Authentication Packages = msv1_0 nwv1_0 ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\dp9ia1g0.default\ FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-25 64288] R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-3-23 224808] R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-3-3 25160] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 66632] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392] R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-3-23 967888] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-5 1265264] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-10-7 2436536] R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-1-22 70704] R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-1-22 563760] R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-7-2 9176] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-3 102448] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-12 38224] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100324.037\NAVENG.SYS [2010-3-25 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100324.037\NAVEX15.SYS [2010-3-25 1324720] R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-7 23888] =============== Created Last 30 ================ 2010-04-15 05:55:15 54016 ----a-w- c:\windows\system32\drivers\emaqwpbm.sys 2010-04-15 05:34:17 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-04-15 05:34:17 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-04-13 10:32:48 0 d-----w- c:\program files\DVDFab 7 2010-04-11 14:52:44 0 d-----w- c:\program files\MediaMonkey 2010-04-11 14:49:32 0 d-----w- c:\program files\Windows Installer Clean Up 2010-04-10 07:55:13 54016 ----a-w- c:\windows\system32\drivers\oflpdnps.sys 2010-04-09 14:39:48 0 d-----w- C:\laserjet 6l pro SureSupply 2010-04-07 10:04:10 0 d-----w- c:\documents and settings\user\DoctorWeb 2010-04-06 07:26:28 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2010-04-06 07:26:28 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2010-04-06 07:24:41 0 d-----w- c:\program files\iPod 2010-04-06 07:23:52 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2010-04-03 06:24:17 54016 ----a-w- c:\windows\system32\drivers\nqfdl.sys 2010-04-03 03:50:02 54016 ----a-w- c:\windows\system32\drivers\ojmatk.sys 2010-04-03 03:25:17 54016 ----a-w- c:\windows\system32\drivers\ksprl.sys 2010-04-03 01:40:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader 2010-04-03 01:36:03 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO 2010-04-03 01:32:19 0 d-----w- c:\program files\COMODO 2010-03-25 23:15:17 0 d-----w- c:\program files\ESET 2010-03-25 10:59:25 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure 2010-03-24 17:34:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-03-24 17:34:48 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-03-24 17:30:39 0 d-----w- c:\program files\Spybot - Search & Destroy 2010-03-24 17:30:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2010-03-24 17:29:52 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-03-24 17:29:19 0 d-----w- c:\program files\Lavasoft 2010-03-24 17:03:30 0 d--h--w- c:\windows\PIF 2010-03-24 16:38:15 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll 2010-03-24 16:36:56 0 d-----w- c:\windows\ERUNT 2010-03-24 16:36:14 0 d-----w- C:\SDFix 2010-03-23 08:40:00 224808 ----a-w- c:\windows\system32\drivers\cmdGuard.sys 2010-03-23 01:58:24 59952 ----a-r- c:\windows\system32\vnetinst.dll 2010-03-23 01:58:24 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys 2010-03-23 01:58:17 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe 2010-03-23 01:58:13 395824 ----a-w- c:\windows\system32\vmnat.exe 2010-03-23 01:58:11 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys 2010-03-23 01:58:02 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys 2010-03-23 01:57:57 760368 ----a-w- c:\windows\system32\vnetlib.dll 2010-03-23 01:57:32 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys 2010-03-23 01:57:22 1024 ----a-w- C:\.rnd 2010-03-23 01:57:02 0 d-----w- c:\program files\common files\VMware 2010-03-23 01:56:34 0 d-----w- c:\program files\VMware 2010-03-22 12:01:00 0 d-----w- c:\docume~1\user\applic~1\Foxit Software 2010-03-16 14:48:52 0 d-----w- c:\program files\VideoLAN ==================== Find3M ==================== 2010-03-29 14:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-29 14:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-12 08:02:38 261632 ----a-w- c:\windows\PEV.exe 2010-03-03 07:54:42 276648 ----a-w- c:\windows\system32\guard32.dll 2010-03-03 07:54:14 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys 2010-03-03 07:54:12 15376 ----a-w- c:\windows\system32\drivers\cmderd.sys 2010-01-22 11:58:02 51248 ----a-w- c:\windows\system32\vmnetbridge.dll 2010-01-22 10:34:24 252464 ----a-w- c:\windows\system32\vmnc.dll 2008-05-14 00:53:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat 2008-05-13 06:00:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat ============= FINISH: 16:04:48.71 =============== Attach_15_April_2010.txt
  7. Hi Screen, My adorable girlfriend is grumpy, because according to her, I'm more excited about getting a message from you than from her! Thank you for all of your help. I sure do appreciate it. 1. Screen, I couldn't find the program Griffith Lotus Setup. I've: a. Gone to Start>Programs, but there is nothing listed that looks like Griffith Lotus Setup. The closest is Lotus Applications>Lotus Notes. b. Used Windows Explorer to look at c:\program files. There was no Lotus, and the closest was the Griffith directory that you asked about, but I didn't see a Griffith Lotus Setup inside those subdirectories. I've pasted a listing of the c:\program files subdirectories below, after the contents of the folder you asked about. c. Used the Windows Explorer search function to find Griffith Lotus, but it found nothing. d. Went in to Control Panel>Add Remove Programs, and was given the option of repairing or removing Griffith Lotus Setup. It has a size of 0.54MB, and is apparently used rarely. If I click repair, it moves me to a screen that says "Welcome to the Griffith Lotus Setup Setup Wizard" (it repeats the word Setup, just as I've typed), and there is no information other than that I can choose to repair or remove. 2. I do not use Lotus Notes on this computer, and I am happy to completely uninstall Lotus and anything related to Lotus. 3. The contents of c:\Program Files\Griffith are listed below. This computer is no longer a work computer, so I can uninstall anything to do with my university. 4. I've never used: ZENworks Asset Management - Client Apps ZENworks Desktop Management Agent and am happy to disable or remove them. Thanks again for everything. ********************************* Contents of C:\Program Files\Griffith ********************************* Volume in drive C has no label. Volume Serial Number is A870-94C2 Directory of C:\Program Files\Griffith 14/04/2010 06:44 PM <DIR> . 14/04/2010 06:44 PM <DIR> .. 15/10/2009 08:06 PM <DIR> First Profile 02/07/2009 02:28 PM <DIR> Griffith Entitled Software 14/04/2010 06:40 PM <DIR> LotusSync 08/12/2008 05:30 PM <DIR> MessageWriter 02/07/2009 02:40 PM <DIR> My IP Address 02/07/2009 02:28 PM <DIR> SOEFixer 08/12/2008 05:30 PM <DIR> SOETools 14/04/2010 06:44 PM 0 dirscreen.txt 1 File(s) 0 bytes Directory of C:\Program Files\Griffith\First Profile 15/10/2009 08:06 PM <DIR> . 15/10/2009 08:06 PM <DIR> .. 02/07/2009 02:24 PM <DIR> FinishedDeploy_630 04/08/2008 02:29 PM 98,304 FinishedDeployment.exe 04/08/2008 02:29 PM 42,496 FinishedDeployment.pdb 04/08/2008 02:29 PM 704 FinishedDeployment.xml 30/07/2007 08:46 AM 28,672 Runner.exe 30/07/2007 08:46 AM 34,304 Runner.pdb 30/07/2007 08:46 AM 114 Runner.xml 14/07/2008 09:00 AM 94,208 SOESetup.exe 14/07/2008 09:00 AM 42,496 SOESetup.pdb 14/07/2008 09:00 AM 664 SOESetup.xml 9 File(s) 341,962 bytes Directory of C:\Program Files\Griffith\First Profile\FinishedDeploy_630 02/07/2009 02:24 PM <DIR> . 02/07/2009 02:24 PM <DIR> .. 04/08/2008 02:29 PM 98,304 FinishedDeployment.exe 04/08/2008 02:29 PM 42,496 FinishedDeployment.pdb 04/08/2008 02:29 PM 704 FinishedDeployment.xml 3 File(s) 141,504 bytes Directory of C:\Program Files\Griffith\Griffith Entitled Software 02/07/2009 02:28 PM <DIR> . 02/07/2009 02:28 PM <DIR> .. 24/07/2007 03:52 PM 28,672 Griffith Entitled Software.exe 24/07/2007 03:52 PM 36,352 Griffith Entitled Software.pdb 24/07/2007 03:52 PM 138 Griffith Entitled Software.xml 23/07/2007 12:37 PM 4,122 icon.ico 4 File(s) 69,284 bytes Directory of C:\Program Files\Griffith\LotusSync 14/04/2010 06:40 PM <DIR> . 14/04/2010 06:40 PM <DIR> .. 22/05/2008 11:07 AM 188,416 ICSharpCode.SharpZipLib.dll 07/01/2009 04:08 PM 348,160 LotusStarter.exe 14/05/2008 12:15 PM 2,084 LotusStarter.exe.config 19/05/2008 03:55 PM 42,166 notes.ico 4 File(s) 580,826 bytes Directory of C:\Program Files\Griffith\MessageWriter 08/12/2008 05:30 PM <DIR> . 08/12/2008 05:30 PM <DIR> .. 26/07/2007 07:40 AM 28,672 MessageWriter.exe 26/07/2007 07:40 AM 36,352 MessageWriter.pdb 26/07/2007 07:40 AM 121 MessageWriter.xml 3 File(s) 65,145 bytes Directory of C:\Program Files\Griffith\My IP Address 02/07/2009 02:40 PM <DIR> . 02/07/2009 02:40 PM <DIR> .. 31/07/2007 07:58 AM 237,568 myIP.exe 20/07/2007 11:02 AM 1,078 myIP.ico 31/07/2007 07:58 AM 40,448 myIP.pdb 31/07/2007 07:58 AM 648 myIP.xml 4 File(s) 279,742 bytes Directory of C:\Program Files\Griffith\SOEFixer 02/07/2009 02:28 PM <DIR> . 02/07/2009 02:28 PM <DIR> .. 16/07/2008 08:47 AM 32,768 SOEFixer.exe 16/07/2008 08:47 AM 40,448 SOEFixer.pdb 16/07/2008 08:47 AM 116 SOEFixer.xml 3 File(s) 73,332 bytes Directory of C:\Program Files\Griffith\SOETools 08/12/2008 05:30 PM <DIR> . 08/12/2008 05:30 PM <DIR> .. 08/12/2008 11:08 AM 140,800 AuditTool.exe 18/11/2008 12:16 PM 2,646 AuditTool.exe.config 25/11/2008 03:20 PM 24,629 AuditTool.log 08/12/2008 11:08 AM 175,616 AuditTool.pdb 25/11/2008 03:20 PM 14,328 AuditTool.vshost.exe 18/11/2008 12:16 PM 2,646 AuditTool.vshost.exe.config 14/07/2008 12:46 PM 1,235 AuditTool.vshost.exe.manifest 08/12/2008 11:08 AM 31,164 AuditTool.xml 27/08/2008 03:36 PM 110,592 AuditTool.XmlSerializers.dll 23/04/2007 02:34 PM 457 Divisions.xml 27/02/2008 04:22 PM 8,928 Elements.xml 25/11/2008 08:19 AM 82,432 GUS_Gobal.dll 25/11/2008 08:19 AM 151,040 GUS_Gobal.pdb 25/11/2008 08:19 AM 25,493 GUS_Gobal.xml 22/07/2008 09:53 AM 110,592 GUS_Gobal.XmlSerializers.dll 01/11/2005 05:28 PM 884,736 Microsoft.Web.Services3.dll 16/07/2008 03:28 PM 12,800 ResetPassword.exe 16/07/2008 03:28 PM 30,208 ResetPassword.pdb 18 File(s) 1,810,342 bytes Total Files Listed: 49 File(s) 3,362,137 bytes 26 Dir(s) 23,727,116,288 bytes free ***************************************** Subdirectories of c:\Program Files\ ***************************************** Directory of C:\Program Files 14/04/2010 07:04 PM <DIR> . 14/04/2010 07:04 PM <DIR> .. 02/07/2009 02:24 PM <DIR> Adobe 05/09/2009 05:04 PM <DIR> Alwil Software 06/04/2010 05:20 PM <DIR> Apple Software Update 02/07/2009 02:26 PM <DIR> aShampoo 02/07/2009 03:43 PM <DIR> ATI Technologies 02/07/2009 03:58 PM <DIR> Broadcom 02/07/2009 02:26 PM <DIR> Business Objects 20/10/2009 11:57 PM <DIR> Carmen Sandiego 02/07/2009 02:49 PM <DIR> Cassetica 05/02/2010 12:16 AM <DIR> CCleaner 02/07/2009 02:47 PM <DIR> Cisco Systems 04/02/2010 02:09 PM <DIR> Comical 06/04/2010 05:19 PM <DIR> Common Files 03/04/2010 11:32 AM <DIR> COMODO 05/07/2007 01:05 PM <DIR> ComPlus Applications 02/07/2009 03:50 PM <DIR> CONEXANT 02/07/2009 02:21 PM <DIR> CUAgent 02/07/2009 02:40 PM <DIR> CyberLink 22/07/2009 06:09 PM <DIR> DVD Decrypter 22/07/2009 11:05 AM <DIR> DVD Shrink 10/10/2009 02:54 PM <DIR> DVDFab 6 13/04/2010 08:33 PM <DIR> DVDFab 7 06/04/2010 10:31 AM <DIR> ERUNT 26/03/2010 09:15 AM <DIR> ESET 21/10/2009 06:14 PM <DIR> FLV Player 15/01/2010 10:30 PM <DIR> Foxit Software 14/04/2010 06:44 PM <DIR> Griffith 02/07/2009 02:28 PM <DIR> GU Tools 02/07/2009 02:28 PM <DIR> IBM 22/07/2009 12:29 PM <DIR> ImgBurn 02/07/2009 03:55 PM <DIR> Intel 22/05/2009 10:31 AM <DIR> Internet Explorer 06/04/2010 05:24 PM <DIR> iPod 22/03/2010 02:40 AM <DIR> Java 25/03/2010 03:30 AM <DIR> Lavasoft 03/02/2010 01:53 AM <DIR> MAKEMSI Package Documentation 31/03/2010 09:43 AM <DIR> Malwarebytes' Anti-Malware 12/04/2010 12:52 AM <DIR> MediaMonkey 01/11/2008 01:08 PM <DIR> Messenger 02/07/2009 02:35 PM <DIR> Microsoft ActiveSync 05/07/2007 01:12 PM <DIR> microsoft frontpage 02/07/2009 02:39 PM <DIR> Microsoft Office 22/05/2009 10:34 AM <DIR> Microsoft Silverlight 02/07/2009 02:34 PM <DIR> Microsoft Visual Studio 02/07/2009 02:34 PM <DIR> Microsoft Works 02/07/2009 02:34 PM <DIR> Microsoft.NET 13/05/2008 03:53 PM <DIR> Movie Maker 14/04/2010 11:43 AM <DIR> Mozilla Firefox 05/07/2007 06:58 PM <DIR> MSBuild 12/04/2010 12:49 AM <DIR> MSECache 05/07/2007 01:03 PM <DIR> MSN 05/07/2007 01:04 PM <DIR> MSN Gaming Zone 05/07/2007 07:51 PM <DIR> MSXML 6.0 13/05/2008 03:50 PM <DIR> NetMeeting 02/07/2009 02:22 PM <DIR> Novell 05/07/2007 05:29 PM <DIR> Online Services 14/04/2010 03:07 AM <DIR> Orbitdownloader 13/05/2008 03:50 PM <DIR> Outlook Express 25/03/2010 10:48 PM <DIR> Oxford Dictonary With Sound Portable 15/01/2010 10:27 PM <DIR> PeaZip 05/07/2007 06:48 PM <DIR> Reference Assemblies 03/02/2010 01:53 AM <DIR> RSIGuard 02/07/2009 03:20 PM <DIR> SecureW2 23/07/2009 12:13 AM <DIR> Siber Systems 02/07/2009 03:49 PM <DIR> SigmaTel 25/03/2010 03:54 AM <DIR> Spybot - Search & Destroy 07/04/2010 01:27 PM <DIR> SUPERAntiSpyware 02/07/2009 02:45 PM <DIR> Symantec 14/03/2010 07:38 PM <DIR> Trend Micro 19/03/2010 02:39 PM <DIR> uTorrent 17/03/2010 12:48 AM <DIR> VideoLAN 23/03/2010 11:56 AM <DIR> VMware 12/04/2010 12:49 AM <DIR> Windows Installer Clean Up 05/07/2007 06:44 PM <DIR> Windows Media Connect 2 13/05/2008 03:50 PM <DIR> Windows Media Player 13/05/2008 03:50 PM <DIR> Windows NT 05/11/2009 09:51 PM <DIR> WinZip 05/07/2007 01:12 PM <DIR> xerox 14/04/2010 07:04 PM 0 programs.txt 1 File(s) 0 bytes 80 Dir(s) 23,725,703,168 bytes free
  8. Hi Screen, Thanks for everything! Here's my attach.txt, below and as an attachment: Attach_14_April_2010.txt *************************************************** UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-03-17.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 2/07/2009 2:16:47 PM System Uptime: 14/04/2010 9:52:46 AM (1 hours ago) Motherboard: Dell Inc. | | Processor: Intel® Pentium® M processor 1.86GHz | Microprocessor | 1861/133mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 56 GiB total, 22.209 GiB free. D: is CDROM () ==== Disabled Device Manager Items ============= Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0000 Service: CVirtA ==== System Restore Points =================== No restore point in system. ==== Installed Programs ======================
  9. Hi Screen, You're underage in the US? You must hear this all the time, but you've got a bright future ahead of you! I figure if you're old enough to rescue thousands of people from tearing their hair out, and yelling incoherently at their monitors, a beer won't do you any harm... I went to Virus Total and ran one of the scans you asked for (the other file I couldn't find): * c:\windows\tag.vbs -- Seemed to be clean (I've pasted the scan results below). * c:\windows\nc-off.exe -- I couldn't find this one. Once more, thank you so much for all of your help, Screen! File tag.vbs received on 2010.04.12 21:27:56 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/40 (0%) Loading server information... Your file is queued in position: 2. Estimated start time is between 49 and 70 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Compact Print results Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.50 2010.04.12 - AhnLab-V3 5.0.0.2 2010.04.12 - AntiVir 7.10.6.64 2010.04.12 - Antiy-AVL 2.0.3.7 2010.04.12 - Authentium 5.2.0.5 2010.04.12 - Avast 4.8.1351.0 2010.04.12 - Avast5 5.0.332.0 2010.04.12 - AVG 9.0.0.787 2010.04.12 - BitDefender 7.2 2010.04.12 - CAT-QuickHeal 10.00 2010.04.12 - ClamAV 0.96.0.3-git 2010.04.12 - Comodo 4580 2010.04.12 - DrWeb 5.0.2.03300 2010.04.12 - eSafe 7.0.17.0 2010.04.12 - eTrust-Vet 35.2.7421 2010.04.12 - F-Prot 4.5.1.85 2010.04.12 - F-Secure 9.0.15370.0 2010.04.12 - Fortinet 4.0.14.0 2010.04.12 - GData 19 2010.04.12 - Ikarus T3.1.1.80.0 2010.04.12 - Jiangmin 13.0.900 2010.04.12 - Kaspersky 7.0.0.125 2010.04.12 - McAfee 5.400.0.1158 2010.04.12 - McAfee-GW-Edition 6.8.5 2010.04.12 - Microsoft 1.5605 2010.04.12 - NOD32 5023 2010.04.12 - Norman 6.04.11 2010.04.12 - nProtect 2009.1.8.0 2010.04.06 - Panda 10.0.2.2 2010.04.12 - PCTools 7.0.3.5 2010.04.12 - Prevx 3.0 2010.04.12 - Rising 22.43.00.04 2010.04.12 - Sophos 4.52.0 2010.04.12 - Sunbelt 6167 2010.04.12 - Symantec 20091.2.0.41 2010.04.12 - TheHacker 6.5.2.0.259 2010.04.12 - TrendMicro 9.120.0.1004 2010.04.12 - VBA32 3.12.12.4 2010.04.09 - ViRobot 2010.4.12.2272 2010.04.12 - VirusBuster 5.0.27.0 2010.04.12 - Additional information File size: 232 bytes MD5...: 572da92cc36c8936d13e18ddf4624ae6 SHA1..: 09a039597d534982e2392b7a4040f21914b93c20 SHA256: b6e94fd41a0a34413a979ef1b0598e78148a04176edc9412bcfac2a697ef7ca5 ssdeep: 3:jaPcYonhwvGKQq5IGMLDzCwzjH1jz+CvFtQq5IGMLDzCWAIz9BH1jz+Cvn:jk+ hDuM3z1zjVjz+wM3zBhVjz+s PEiD..: - PEInfo: - RDS...: NSRL Reference Data Set - pdfid.: - trid..: Unknown! sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned
  10. Hi Screen, In the replies above, I posted the GMER logs as you asked, and also mentioned some error messages I've been getting, and a file that Virus Total picked up on. Just in case you were looking for a shorter GMER log, I ran GMER after unchecking: * Sections * IAT/EAT * Drives/Partition other than Systemdrive (typically only C:\ should be checked) * Show All (don't miss this one) and I've posted the resulting log below. Thanks again for everything. You really have to come to Australia and let me buy you a beer one day. ********************** GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-10 19:15:38 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\fwloapog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xF2631212] SSDT 86D94F68 ZwAlertResumeThread SSDT 86D7EF00 ZwAlertThread SSDT 86E040C0 ZwAllocateVirtualMemory SSDT 86D4B340 ZwConnectPort SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xF2630E78] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xF2631A66] SSDT 86D7EB08 ZwCreateMutant SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xF26306A6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xF26337A6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xF2633A44] SSDT 86D1DB68 ZwCreateThread SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xF26313FE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xF26315F2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xF263001C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xF2632118] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xF2632356] SSDT 86BABB78 ZwFreeVirtualMemory SSDT 86C02B58 ZwImpersonateAnonymousToken SSDT 86B5BB58 ZwImpersonateThread SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xF26333E2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xF2630A66] SSDT 86D1EBB8 ZwMapViewOfSection SSDT 86B6AB58 ZwOpenEvent SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xF2631054] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenKey [0xF2631A56] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xF262FD00] SSDT 86D4EBF8 ZwOpenProcessToken SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xF2630D02] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xF262FE98] SSDT 86F3A908 ZwOpenThreadToken SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF75F06A0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryKey [0xF263253E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryMultipleValueKey [0xF2632902] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryValueKey [0xF263271A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xF2631F30] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xF2632E76] SSDT 869FAA78 ZwResumeThread SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xF263312A] SSDT 86D40F30 ZwSetContextThread SSDT 86D05340 ZwSetInformationProcess SSDT 86E7D798 ZwSetInformationThread SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSecurityObject [0xF263182E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xF26335AE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xF2631CB8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xF2630A00] SSDT 86E060D8 ZwSuspendProcess SSDT 86DA2710 ZwSuspendThread SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xF2630BEE] SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF2290320] SSDT 86DA2A78 ZwTerminateThread SSDT 86D410B8 ZwUnmapViewOfSection SSDT 86E0A0C0 ZwWriteVirtualMemory ---- Devices - GMER 1.0.15 ---- Device Ntfs.sys (NT File System Driver/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.) Device \Driver\usbhub \Device\000000dc hcmon.sys (VMware USB monitor/VMware, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.) Device \Driver\usbhub \Device\000000de hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbuhci \Device\USBPDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbuhci \Device\USBPDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbuhci \Device\USBPDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbuhci \Device\USBPDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbehci \Device\USBPDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) Device \Driver\usbhub \Device\000000e0 hcmon.sys (VMware USB monitor/VMware, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) Device \Driver\usbhub \Device\000000e2 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbhub \Device\000000e4 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.) ---- EOF - GMER 1.0.15 ----
  11. Just trying to upload the GMER log again...gmer_log_10_April_2010.txt
  12. Hi Screen, Thank you for giving me hope. I'll be so glad when this gets fixed. I followed your instructions and ran the GMER scan as you recommended. I tried to paste the results as you suggested, but I think there was too much text. I've attached the GMER log. Should I have unchecked some of the check boxes? I was sure to make sure that "show all" wasn't checked. While I was running the scan, this error kept popping up in Windows: ************************* wuauclt.exe - Application error The instruction at "0x00009900" referenced memory at "0x00009900". The memory could not be "written". Click on OK to terminate the program Click on CANCEL to debug the program ************************* It won't stop popping up, even now, regardless of whether I click OK or CANCEL. It's every five minutes or so. I also got this error message: ************************** Dr Watson Postmortem Debugger has encountered a problem and needs to close. ************************** There were just another thing that I wanted to mention that may or may not be relevant: A friend took a quick look at my HJT log and mentioned that I might want to disable ctfmon.exe. I have scanned ctfmon.exe at Virus Total and eSafe thinks that it is the Win32.Banker virus. I haven't taken any action, because I wanted to ask you about it first. Should I do anything about it? What would you recommend? I've included the Virus Total log at the end, after the GMER scan. As I said, I don't know that's relevant. Thanks again for all of your help, Screen! ********************** Virus Total Log ********************** File ctfmon.exe received on 2010.04.08 18:49:59 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 1/39 (2.57%) Loading server information... Your file is queued in position: ___. Estimated start time is between ___ and ___ . Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Compact Print results Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.50 2010.04.08 - AhnLab-V3 5.0.0.2 2010.04.08 - AntiVir 7.10.6.49 2010.04.08 - Antiy-AVL 2.0.3.7 2010.04.08 - Authentium 5.2.0.5 2010.04.08 - Avast 4.8.1351.0 2010.04.08 - Avast5 5.0.332.0 2010.04.08 - AVG 9.0.0.787 2010.04.08 - BitDefender 7.2 2010.04.08 - CAT-QuickHeal 10.00 2010.04.08 - ClamAV 0.96.0.3-git 2010.04.08 - Comodo 4540 2010.04.08 - DrWeb 5.0.2.03300 2010.04.08 - eSafe 7.0.17.0 2010.04.08 Win32.Banker eTrust-Vet 35.2.7414 2010.04.08 - F-Prot 4.5.1.85 2010.04.07 - F-Secure 9.0.15370.0 2010.04.08 - Fortinet 4.0.14.0 2010.04.08 - GData 19 2010.04.08 - Ikarus T3.1.1.80.0 2010.04.08 - Jiangmin 13.0.900 2010.04.08 - Kaspersky 7.0.0.125 2010.04.08 - McAfee-GW-Edition 6.8.5 2010.04.08 - Microsoft 1.5605 2010.04.08 - NOD32 5011 2010.04.08 - Norman 6.04.11 2010.04.08 - nProtect 2009.1.8.0 2010.04.06 - Panda 10.0.2.2 2010.04.08 - PCTools 7.0.3.5 2010.04.08 - Prevx 3.0 2010.04.08 - Rising 22.42.03.03 2010.04.08 - Sophos 4.52.0 2010.04.08 - Sunbelt 6152 2010.04.08 - Symantec 20091.2.0.41 2010.04.08 - TheHacker 6.5.2.0.258 2010.04.08 - TrendMicro 9.120.0.1004 2010.04.08 - VBA32 3.12.12.4 2010.04.05 - ViRobot 2010.4.8.2267 2010.04.08 - VirusBuster 5.0.27.0 2010.04.08 -
  13. Hi Screen, Thank you so much for all of your help. I hope you know how much people appreciate you rescuing their computers. Screen, I wasn't sure exactly how I should delete the registry values (i.e. whether to use regedit or not), so I 1. Booted to Safe Mode. 2. Re-ran the Fix.reg that you gave me. 3. Rebooted in Safe Mode. When I rebooted in Safe Mode, the System Restore option was there! When I booted back into Normal Model, though, System Restore was gone again... Also, I don't know if this is relevant, but when I went to shut down, before Step 1 above (before I'd booted into Safe Mode), as Windows was shutting down, a window popped up briefly, saying something about: *ccApp.exe not being able to shutdown normally, or something like that. Thanks again, Screen. That was the first time I'd seen the System Restore option in like a month, so I'm pretty excited that we must be getting somewhere!
  14. Hi Screen, I ran the fix.reg you provided, but unfortunately when I reboot and right click on My Computer>Properties, there is no System Restore tab. I know that if I go into regedit, and delete "SystemRestore\DisableSR" and "SystemRestore\DisableConfig" then I temporarily have access to the System Restore tab, but as soon as I reboot, those two registry keys are back, and System Restore is gone. Once again, thank you for your help, Screen!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.