Please Help Posted August 23, 2009 ID:113858 Share Posted August 23, 2009 Ran anti-malware, it found some infected files which were deleted, but after rebooting they returned. Cannot use Task Manager.Here is the log from HijackThis, Thanks. :Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:02:21 PM, on 8/23/2009Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\ZoneLabs\vsmon.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\Array Networks\Common\8,3,1,84\arr_isrv.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\Program Files\Array Networks\Array SSL VPN\8,3,1,84\arr_srvs.exeC:\WINNT\System32\svchost.exeC:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\OfficeScan\ntrtscan.exeC:\WINNT\system32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\stisvc.exeC:\OfficeScan\tmlisten.exeC:\WINNT\Explorer.EXEC:\WINNT\System32\WBEM\WinMgmt.exeC:\Program Files\RealVNC\WinVNC\WinVNC.exeC:\WINNT\system32\svchost.exeC:\OfficeScan\OfcPfwSvc.exeC:\WINNT\TEMP\LI813B.EXEC:\OfficeScan\pccntmon.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\Program Files\Brother\Brmfcmon\BrMfcWnd.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINNT\system32\RUNDLL32.EXEC:\WINNT\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exeC:\Documents and Settings\All Users\Application Data\fead405\WIfead.exeC:\Program Files\FinePixViewer\QuickDCF.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\Program Files\Brother\ControlCenter3\brccMCtl.exeC:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeC:\Program Files\Brother\Brmfcmon\BrMfcmon.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO1 - Hosts: ::1 localhostO1 - Hosts: 94.232.248.66 browser-security.microsoft.comO1 - Hosts: 94.232.248.66 antivirprotection.comO1 - Hosts: 94.232.248.66 www.antivirprotection.comO1 - Hosts: 74.125.45.100 4-open-davinci.comO1 - Hosts: 74.125.45.100 securitysoftwarepayments.comO1 - Hosts: 74.125.45.100 privatesecuredpayments.comO1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.comO1 - Hosts: 74.125.45.100 getantivirusplusnow.comO1 - Hosts: 74.125.45.100 secure-plus-payments.comO1 - Hosts: 74.125.45.100 www.secure-plus-payments.comO1 - Hosts: 74.125.45.100 www.getavplusnow.comO1 - Hosts: 74.125.45.100 www.securesoftwarebill.comO1 - Hosts: 74.125.45.100 www.getantivirusplusnow.comO1 - Hosts: 74.125.45.100 secure.paysecuresystem.comO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dllO2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelperO4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan\pccntmon.exe" -HideWindowO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,SO4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exeO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUNO4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorunO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInitO4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1O4 - HKCU\..\Run: [shutterflyStudio] C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe /trayonlyO4 - HKCU\..\Run: [Windows Protection Suite] "C:\Documents and Settings\All Users\Application Data\fead405\WIfead.exe" /s /dO4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exeO4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashb...DEIIIDJGBHHJDEF (file missing)O9 - Extra 'Tools' menuitem: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashb...DEIIIDJGBHHJDEF (file missing)O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cabO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1251040415281O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cabO16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cabO16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://connect.ny.itg.com/prx/000/http/localhost/arr_x.cabO16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exeO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dllO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Array SSL VPN Service 8,3,1,84 (ArraySSL_VPN_Service8.3.1.84) - Array Networks, Inc. - C:\Program Files\Array Networks\Array SSL VPN\8,3,1,84\arr_srvs.exeO23 - Service: Array Utility Service 8,3,1,84 (Array_Utility_Service8.3.1.84) - Array Networks, Inc. - C:\Program Files\Array Networks\Common\8,3,1,84\arr_isrv.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exeO23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan\ntrtscan.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exeO23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan\OfcPfwSvc.exeO23 - Service: Domain Migration Administrator Agent (OnePointDomainAdminService) - NetIQ Corporation - C:\Program Files\OnePointDomainAgent\DCTAgentService.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan\tmlisten.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exeO23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe--End of file - 13027 bytes Link to post Share on other sites More sharing options...
Staff screen317 Posted August 25, 2009 Staff ID:114787 Share Posted August 25, 2009 Hi and welcome to Malwarebytes.Please update MBAM, run a Quick Scan, and post its log.After that, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
Please Help Posted August 27, 2009 Author ID:115415 Share Posted August 27, 2009 Hi and thanks for your help.Update: By fixing one line from the Hijack This, I was able run and delete all the files from MBAM and they did not return after rebooting this time. Then I got your message about running ComboFix...So, my last MBAM log contained no infected files:Malwarebytes' Anti-Malware 1.40Database version: 2702Windows 5.0.2195 Service Pack 48/26/2009 8:35:06 PMmbam-log-2009-08-26 (20-35-06).txtScan type: Quick ScanObjects scanned: 95890Time elapsed: 8 minute(s), 40 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)ComboFix log:ComboFix 09-08-26.05 - Administrator 08/26/2009 17:13.1.1 - NTFSx86Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.639.390 [GMT -4:00]Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\docume~1\ADMINI~1\LOCALS~1\Temp\IadHide5.dllc:\documents and settings\Administrator\Application Data\Windows Protection Suitec:\documents and settings\Administrator\Application Data\Windows Protection Suite\cookies.sqlitec:\documents and settings\Administrator\Local Settings\Temp\IadHide5.dllc:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.datc:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.datc:\documents and settings\All Users\Application Data\WINSPSysc:\documents and settings\All Users\Application Data\WINSPSys\winps.cfgc:\program files\Mozilla Firefox\searchplugins\search.xmlc:\recycler\S-1-5-21-1004336348-1788223648-725345543-500c:\recycler\S-1-5-21-1106591827-654009076-425818713-500c:\recycler\S-1-5-21-1161191959-2006596497-1451377629-500c:\recycler\S-1-5-21-1851790228-1399273013-1408832246-500c:\recycler\S-1-5-21-244122443-1089559749-1396666437-500c:\recycler\S-1-5-21-634664336-1480134410-1310543000-500c:\recycler\S-1-5-21-797854463-345337248-359742564-500c:\winnt\system32\UACpyeutowkurgwvbl.datc:\winnt\Web\default.htt----- BITS: Possible infected sites -----hxxp://download.esd.intuit.com.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_UACd.sys-------\Service_UACd.sys((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 ))))))))))))))))))))))))))))))).2009-08-24 23:53 . 2009-03-30 14:32 97512 ----a-w- c:\winnt\system32\drivers\avipbb.sys2009-08-24 23:53 . 2009-03-24 20:07 65240 ----a-w- c:\winnt\system32\drivers\avgntflt.sys2009-08-24 23:53 . 2009-02-13 16:28 18520 ----a-w- c:\winnt\system32\drivers\avgntmgr.sys2009-08-24 23:53 . 2009-02-13 16:16 64488 ----a-w- c:\winnt\system32\drivers\avgntdd.sys2009-08-24 23:53 . 2009-08-24 23:53 -------- d-----w- c:\program files\Avira2009-08-24 23:53 . 2009-08-24 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2009-08-24 23:26 . 2009-08-24 23:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar2009-08-24 02:31 . 2009-07-24 13:55 1090816 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll2009-08-24 02:19 . 2009-08-24 02:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar2009-08-24 01:09 . 2009-08-24 01:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG82009-08-24 00:22 . 2009-08-24 00:22 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.22009-08-23 20:03 . 2008-10-16 18:06 268648 ----a-w- c:\winnt\system32\mucltui.dll2009-08-23 02:27 . 2004-07-14 01:12 69632 ------w- c:\winnt\erase_SR.exe2009-08-23 02:13 . 2009-08-23 02:13 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe2009-08-12 21:09 . 2009-08-12 21:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC-FAX TX2009-08-11 20:56 . 2009-04-23 09:05 407552 ----a-w- c:\winnt\system32\mstsc.exe2009-08-11 20:56 . 2009-06-15 07:23 655872 -c----w- c:\winnt\system32\dllcache\mstscax.dll2009-08-11 20:56 . 2009-06-15 07:23 655872 ----a-w- c:\winnt\system32\mstscax.dll2009-08-05 05:04 . 2009-08-05 05:04 90164 -c----w- c:\winnt\system32\dllcache\atl.dll2009-08-05 05:04 . 2009-08-05 05:04 90164 ----a-w- c:\winnt\system32\atl.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-08-24 23:38 . 2009-05-22 21:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\avg82009-08-24 01:28 . 2009-05-22 21:30 -------- d-----w- c:\program files\AVG2009-08-24 00:59 . 2004-07-29 09:07 -------- d--h--w- c:\program files\InstallShield Installation Information2009-08-24 00:54 . 2004-07-29 12:20 -------- d-----w- c:\program files\RealVNC2009-08-23 22:15 . 2009-05-23 00:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2009-08-23 19:55 . 2004-07-29 08:51 70520 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-08-23 03:53 . 2006-07-29 20:45 -------- d-----w- c:\program files\Trend Micro2009-08-23 02:16 . 2009-06-01 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-08-19 02:13 . 2007-06-20 21:48 30386478 ----a-w- c:\winnt\Internet Logs\tvDebug.zip2009-08-03 17:36 . 2009-06-01 20:10 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys2009-08-03 17:36 . 2009-06-01 20:10 18456 ----a-w- c:\winnt\system32\drivers\mbam.sys2009-07-27 11:27 . 1999-12-06 21:00 81168 ----a-w- c:\winnt\system32\fontsub.dll2009-07-27 11:27 . 1999-12-06 21:00 165136 ----a-w- c:\winnt\system32\t2embed.dll2009-07-22 00:30 . 2009-07-22 14:14 1073664 ----a-w- c:\winnt\Internet Logs\xDB4B.tmp2009-07-13 16:54 . 2009-07-13 16:45 1878984 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe2009-07-13 13:13 . 2004-06-17 21:02 78608 ----a-w- c:\winnt\system32\avifil32.dll2009-07-13 06:18 . 2004-06-22 18:45 233472 ----a-w- c:\winnt\system32\wmpdxm.dll2009-07-12 20:13 . 2009-07-12 20:15 6497280 ----a-w- c:\winnt\Internet Logs\xDB4A.tmp2009-07-12 20:13 . 2009-07-12 20:15 2692608 ----a-w- c:\winnt\Internet Logs\xDB49.tmp2009-07-12 04:02 . 2009-07-12 04:02 159032 ----a-w- c:\winnt\system32\atl90.dll2009-07-11 23:41 . 2009-07-11 23:41 97280 ----a-w- c:\winnt\system32\ATL80.dll2009-07-10 16:49 . 2004-06-07 18:19 601088 ----a-w- c:\winnt\system32\INETCOMM.DLL2009-07-10 16:49 . 2002-10-11 19:08 47616 ----a-w- c:\winnt\system32\INETRES.DLL2009-07-10 16:49 . 2003-03-03 20:57 229376 ----a-w- c:\winnt\system32\MSOEACCT.DLL2009-07-10 16:49 . 2003-03-03 20:57 91136 ----a-w- c:\winnt\system32\MSOERT2.DLL2009-07-10 16:47 . 2003-03-03 20:57 44032 ----a-w- c:\winnt\system32\MSIDENT.DLL2009-07-01 01:16 . 2009-07-01 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\3DVIA2009-06-26 15:53 . 2009-06-26 15:53 576512 ----a-w- c:\winnt\system32\WININET.DLL2009-06-02 23:23 . 2004-06-22 13:59 1225728 ----a-w- c:\winnt\system32\quartz.dll2009-06-01 20:23 . 2009-06-01 20:24 5982208 ----a-w- c:\winnt\Internet Logs\xDB48.tmp2009-06-01 20:23 . 2009-06-01 20:24 24064 ----a-w- c:\winnt\Internet Logs\xDB47.tmp2009-06-01 20:19 . 2009-06-01 20:20 61440 ----a-w- c:\winnt\Internet Logs\xDB46.tmp2009-06-01 20:12 . 2009-06-01 20:13 5981696 ----a-w- c:\winnt\Internet Logs\xDB45.tmp2009-06-01 19:58 . 2009-06-01 19:59 5976064 ----a-w- c:\winnt\Internet Logs\xDB44.tmp2009-06-01 19:34 . 2009-06-01 19:37 41984 ----a-w- c:\winnt\Internet Logs\xDB42.tmp2009-06-01 19:34 . 2009-06-01 19:37 5952000 ----a-w- c:\winnt\Internet Logs\xDB43.tmp2009-06-01 19:30 . 2009-06-01 19:32 5959680 ----a-w- c:\winnt\Internet Logs\xDB41.tmp2009-06-01 19:24 . 2009-06-01 19:25 51200 ----a-w- c:\winnt\Internet Logs\xDB40.tmp2009-06-01 19:19 . 2009-06-01 19:21 5947392 ----a-w- c:\winnt\Internet Logs\xDB3F.tmp2009-06-01 19:03 . 2009-06-01 19:05 311808 ----a-w- c:\winnt\Internet Logs\xDB3E.tmp2004-06-16 18:52 . 2004-06-16 18:52 21952 ---h--w- c:\program files\folder.htt2009-05-17 20:25 . 2009-05-17 20:25 0 --sh--r- c:\winnt\FFSSET.BIN.------- Sigcheck -------[-] 2005-03-21 19:13 11264 AB176F2171DB704D51B8809E8A5C38BD c:\winnt\system32\CTFMON.EXE[-] 2002-11-26 23:03 52224 36678803A8030EE9A771935CFC1848BD c:\winnt\system32\mspmsnsv.dllc:\winnt\system32\drivers\ip6fw.sys ... is missing !!c:\winnt\system32\termsrv.dll ... is missing !!c:\winnt\system32\comres.dll ... is missing !!c:\winnt\system32\xmlprov.dll ... is missing !!.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816][HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]2009-07-24 13:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816][HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816][HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvMediaCenter"="c:\winnt\system32\NVMCTRAY.DLL" [2003-10-06 49152]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-08 68856]"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]"ShutterflyStudio"="c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2008-01-12 2500096][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2003-10-06 5058560]"OfficeScanNT Monitor"="c:\officescan\pccntmon.exe" [2006-02-07 356352]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-13 282624]"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]"CitiVAN"="c:\program files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 192512]"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2003-10-06 741376][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-11-18 241664]KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]@="Service"R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/24/2009 7:53 PM 108289]R2 Array_Utility_Service8.3.1.84;Array Utility Service 8,3,1,84;c:\program files\Array Networks\Common\8,3,1,84\arr_isrv.exe [9/29/2008 9:01 AM 344139]R2 ArraySSL_VPN_Service8.3.1.84;Array SSL VPN Service 8,3,1,84;c:\program files\Array Networks\Array SSL VPN\8,3,1,84\arr_srvs.exe [9/29/2008 9:01 AM 192587]R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [12/9/2008 12:37 PM 13088]R2 TmFilter;Trend Micro Filter;c:\officescan\TmFilter.sys [11/9/2005 8:32 PM 252128]S3 ATP;Array Networks VPN Adapter;c:\winnt\system32\drivers\atpdrvr.sys [9/29/2008 9:01 AM 16896]S3 OnePointDomainAdminService;Domain Migration Administrator Agent;c:\program files\OnePointDomainAgent\DCTAgentService.exe [4/24/2006 5:01 PM 122880]--- Other Services/Drivers In Memory ---*NewlyCreated* - IPNAT*NewlyCreated* - RASAUTO*NewlyCreated* - SHAREDACCESS.- - - - ORPHANS REMOVED - - - -Notify-ckpNotify - (no file).------- Supplementary Scan -------.uStart Page = hxxp://msn.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemDefault_Search_URL = hxxp://www.google.com/ieuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieIE: &SearchIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: {{D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashb...DEIIIDJGBHHJDEFLSP: %SystemRoot%\system32\msafd.dllTrusted Zone: turbotax.comTrusted Zone: webkinz.com\wwwTCP: {C19B43F9-0961-495C-8354-95504CAF6F57} = 10.0.26.210DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cabDPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cabDPF: {B6648EB8-2460-484F-9255-9654454C4C70} - hxxps://connect.ny.itg.com/prx/000/http/localhost/arr_x.cabFF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x7dge8is.default\FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dllFF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dllFF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-08-26 17:36Windows 5.0.2195 Service Pack 4 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(180)c:\winnt\system32\wzcdlg.dllc:\winnt\system32\WZCSAPI.DLL- - - - - - - > 'explorer.exe'(2024)c:\winnt\AppPatch\AcLayers.DLLc:\docume~1\ADMINI~1\LOCALS~1\Temp\IadHide5.dllc:\winnt\system32\SHDOCVW.DLL.Completion time: 2009-08-26 17:55 - machine was rebootedComboFix-quarantined-files.txt 2009-08-26 21:55Pre-Run: 4,354,150,400 bytes freePost-Run: 6,573,850,624 bytes free218 --- E O F --- 2009-08-25 21:23Hijack This log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:08:10 PM, on 8/26/2009Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\ZoneLabs\vsmon.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\Array Networks\Common\8,3,1,84\arr_isrv.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Array Networks\Array SSL VPN\8,3,1,84\arr_srvs.exeC:\WINNT\System32\svchost.exeC:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\WINNT\Explorer.EXEC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\OfficeScan\ntrtscan.exeC:\WINNT\system32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\stisvc.exeC:\OfficeScan\tmlisten.exeC:\OfficeScan\pccntmon.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\OfficeScan\OfcPfwSvc.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\Program Files\Brother\Brmfcmon\BrMfcWnd.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\WINNT\system32\RUNDLL32.EXEC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exeC:\Program Files\Brother\ControlCenter3\brccMCtl.exeC:\WINNT\system32\ctfmon.exeC:\Program Files\FinePixViewer\QuickDCF.exeC:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeC:\Program Files\Brother\Brmfcmon\BrMfcmon.exeC:\OfficeScan\pccntupd.exeC:\WINNT\TEMP\ZR806B.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllR3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dllO2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan\pccntmon.exe" -HideWindowO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUNO4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorunO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInitO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1O4 - HKCU\..\Run: [shutterflyStudio] C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe /trayonlyO4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exeO4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashb...DEIIIDJGBHHJDEF (file missing)O9 - Extra 'Tools' menuitem: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashb...DEIIIDJGBHHJDEF (file missing)O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cabO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1251040415281O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cabO16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cabO16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://connect.ny.itg.com/prx/000/http/localhost/arr_x.cabO16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exeO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Array SSL VPN Service 8,3,1,84 (ArraySSL_VPN_Service8.3.1.84) - Array Networks, Inc. - C:\Program Files\Array Networks\Array SSL VPN\8,3,1,84\arr_srvs.exeO23 - Service: Array Utility Service 8,3,1,84 (Array_Utility_Service8.3.1.84) - Array Networks, Inc. - C:\Program Files\Array Networks\Common\8,3,1,84\arr_isrv.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exeO23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan\ntrtscan.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exeO23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan\OfcPfwSvc.exeO23 - Service: Domain Migration Administrator Agent (OnePointDomainAdminService) - NetIQ Corporation - C:\Program Files\OnePointDomainAgent\DCTAgentService.exeO23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan\tmlisten.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe--End of file - 11573 bytesThanks very much again, I really appreciate your help! Link to post Share on other sites More sharing options...
Staff screen317 Posted August 27, 2009 Staff ID:115525 Share Posted August 27, 2009 Hi,Before we continue, please go to VirusTotal, and upload the following file for analysis:c:\winnt\erase_SR.exec:\winnt\system32\CTFMON.EXEc:\winnt\system32\mspmsnsv.dllPost the results in your reply.Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.Click Start Scanning.You should get a notification bar (on top) to install the ActiveX control. Click on it and select to install the ActiveX.Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.In case you are having problems with installing the ActiveX/starting the scan, please read here.Click the Full System Scan button.It will start to download scanner components and databases. This can take a while.The main scan will start.Once the scan has finished scanning, click the Automatic cleaning (recommended) buttonIt could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.The cleaning can take a while, so please be patient.Then click the Show report button and Copy/Paste what is present under results in your next reply.Next, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know what issues remain.-screen317 Link to post Share on other sites More sharing options...
Please Help Posted August 28, 2009 Author ID:115938 Share Posted August 28, 2009 Hi,Here are the results for the first two VirusTotal analysis, the last one will be in another reply:c:\winnt\erase_SR.exeFile a01bc613e7f7df8468a2f5ed8db09d9e received on 2009.07.08 16:49:29 (UTC)Antivirus Version Last Update Resulta-squared 4.5.0.18 2009.07.08 -AhnLab-V3 5.0.0.2 2009.07.08 -AntiVir 7.9.0.204 2009.07.08 -Antiy-AVL 2.0.3.1 2009.07.08 -Authentium 5.1.2.4 2009.07.08 -Avast 4.8.1335.0 2009.07.07 -AVG 8.5.0.386 2009.07.08 -BitDefender 7.2 2009.07.08 -CAT-QuickHeal 10.00 2009.07.08 -ClamAV 0.94.1 2009.07.08 -Comodo 1578 2009.07.08 -DrWeb 5.0.0.12182 2009.07.08 -eSafe 7.0.17.0 2009.07.08 -eTrust-Vet 31.6.6604 2009.07.08 -F-Prot 4.4.4.56 2009.07.07 -F-Secure 8.0.14470.0 2009.07.08 -Fortinet 3.117.0.0 2009.07.03 -GData 19 2009.07.08 -Ikarus T3.1.1.64.0 2009.07.08 -Jiangmin 11.0.706 2009.07.08 -K7AntiVirus 7.10.787 2009.07.08 -Kaspersky 7.0.0.125 2009.07.08 -McAfee 5670 2009.07.08 -McAfee+Artemis 5670 2009.07.08 -McAfee-GW-Edition 6.8.5 2009.07.08 -Microsoft 1.4803 2009.07.08 -NOD32 4224 2009.07.08 -Norman 6.01.09 2009.07.08 -nProtect 2009.1.8.0 2009.07.08 -Panda 10.0.0.14 2009.07.08 -PCTools 4.4.2.0 2009.07.08 -Prevx 3.0 2009.07.08 -Rising 21.37.24.00 2009.07.08 -Sophos 4.43.0 2009.07.08 -Sunbelt 3.2.1858.2 2009.07.08 -Symantec 1.4.4.12 2009.07.08 -TheHacker 6.3.4.3.363 2009.07.08 -TrendMicro 8.950.0.1094 2009.07.08 -VBA32 3.12.10.7 2009.07.08 -ViRobot 2009.7.8.1824 2009.07.08 Backdoor.Win32.SdBot.69632.HVirusBuster 4.6.5.0 2009.07.08 -Additional informationFile size: 69632 bytesMD5 : a01bc613e7f7df8468a2f5ed8db09d9eSHA1 : 14c0569f8058449791e8608bf92c868d2afa086eSHA256: 9d5961d21da2f0b61aea8920a3bf0f07c58d92a2ee1348701e617712b8cbd1a0PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0x3D8F<br> timedatestamp.....: 0x3B02B772 (Wed May 16 19:22:58 2001)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 3 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x1000 0xA03A 0xB000 6.25 1eb5060072ff3fd978cea87c10687c8b<br>.rdata 0xC000 0x1B0A 0x2000 3.94 7461449c8381ae3f61344f090acc513b<br>.data 0xE000 0x4748 0x3000 1.23 7b351c5c6350c5cb376f727b71776157<br> <br> ( 0 imports )<br> <br> <br> ( 0 exports )<br>TrID : File type identification<br>Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)ssdeep: 768:bVmBqhguxKj0DeYy+ymquJfRa/ZA2J4aYd9QfoWfGeoYZom:IqhxKjCBKZATaMQggomPEiD : Armadillo v1.71CWSandbox: <a href="http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a01bc613e7f7df8468a2f5ed8db09d9e" target="_blank">http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a01bc613e7f7df8468a2f5ed8db09d9e</a>RDS : NSRL Reference Data Set<br>-c:\winnt\system32\CTFMON.EXEFile CTFMON.EXE received on 2009.04.22 05:38:28 (UTC)Antivirus Version Last Update Resulta-squared 4.0.0.101 2009.04.22 -AhnLab-V3 5.0.0.2 2009.04.22 -AntiVir 7.9.0.148 2009.04.21 -Antiy-AVL 2.0.3.1 2009.04.21 -Authentium 5.1.2.4 2009.04.21 -Avast 4.8.1335.0 2009.04.21 -AVG 8.5.0.287 2009.04.21 -BitDefender 7.2 2009.04.22 -CAT-QuickHeal 10.00 2009.04.22 -ClamAV 0.94.1 2009.04.22 -Comodo 1124 2009.04.21 -DrWeb 4.44.0.09170 2009.04.22 -eSafe 7.0.17.0 2009.04.21 -eTrust-Vet 31.6.6440 2009.04.20 -F-Prot 4.4.4.56 2009.04.21 -F-Secure 8.0.14470.0 2009.04.22 -Fortinet 3.117.0.0 2009.04.22 -GData 19 2009.04.22 -Ikarus T3.1.1.49.0 2009.04.22 -K7AntiVirus 7.10.710 2009.04.21 -Kaspersky 7.0.0.125 2009.04.22 -McAfee 5591 2009.04.21 -McAfee+Artemis 5591 2009.04.21 -McAfee-GW-Edition 6.7.6 2009.04.22 -Microsoft 1.4602 2009.04.21 -NOD32 4026 2009.04.21 -Norman 6.00.06 2009.04.21 -nProtect 2009.1.8.0 2009.04.22 -Panda 10.0.0.14 2009.04.21 -PCTools 4.4.2.0 2009.04.21 -Prevx1 V2 2009.04.22 -Rising 21.26.20.00 2009.04.22 -Sophos 4.40.0 2009.04.22 -Sunbelt 3.2.1858.2 2009.04.21 -Symantec 1.4.4.12 2009.04.22 -TheHacker 6.3.4.0.312 2009.04.22 -TrendMicro 8.700.0.1004 2009.04.22 -VBA32 3.12.10.2 2009.04.21 -ViRobot 2009.4.22.1703 2009.04.22 -VirusBuster 4.6.5.0 2009.04.21 -Additional informationFile size: 11264 bytesMD5 : ab176f2171db704d51b8809e8a5c38bdSHA1 : fd3e82bb62bf86e5342ceefee104c9de741f624fSHA256: 3768c80d11f4e6f017740dc3f47b6ebe84be3e1f9d72bba056b09c342e23dec3PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0x2176<br> timedatestamp.....: 0x423F46EB (Mon Mar 21 23:12:59 2005)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 3 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x1000 0x1F2A 0x2000 6.92 5ac20db19a0db6fec2a438f49f9c55b1<br>.data 0x3000 0x1C8 0x200 0.88 fc5d6b36ccfaa664ad676ff8ddae26cb<br>.rsrc 0x4000 0x5D0 0x600 3.37 22ff68b90e4c9a61303c57a7cb1198d2<br> <br> ( 0 imports )<br> <br> <br> ( 0 exports )<br>TrID : File type identification<br>Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)ssdeep: 192:V2FGoSzlYWpiqfd/Yq4HED1XT8uGagB5ycdTUgS5yWopW:V2jgt4WXgslc9Uv8WopWPEiD : -RDS : NSRL Reference Data Set<br>- Link to post Share on other sites More sharing options...
Please Help Posted August 28, 2009 Author ID:115948 Share Posted August 28, 2009 I cannot post the results from the last VirusTotal analysis. After clicking on the <Add Reply> button, I get Method not implemented, POST to /forums/index.php not supportedHere is the link to the results for c:\winnt\system32\mspmsnsv.dll:http://www.virustotal.com/analisis/05e7195...8bef-1250643399 Link to post Share on other sites More sharing options...
Staff screen317 Posted August 28, 2009 Staff ID:116017 Share Posted August 28, 2009 Rename c:\winnt\erase_SR.exe to erase_SR.oldIf in time you find nothing amiss, delete it entirely.Proceed with the F-Secure scan.-screen317 Link to post Share on other sites More sharing options...
Please Help Posted August 29, 2009 Author ID:116464 Share Posted August 29, 2009 Hi,I renamed the erase_SR file as instructed.Here is my report from the F-secure scan:7 malware foundTrackingCookie.2o7 (spyware) System (Disinfected) TrackingCookie.Atdmt (spyware) System (Disinfected) TrackingCookie.Doubleclick (spyware) System (Disinfected) TrackingCookie.Mediaplex (spyware) System (Disinfected) TrackingCookie.Statcounter (spyware) System (Disinfected) TrackingCookie.Atwola (spyware) System (Disinfected) TrackingCookie.Imrworldwide (spyware) System (Disinfected) --------------------------------------------------------------------------------StatisticsScanned: Files: 49565 System: 3271 Not scanned: 8 Actions: Disinfected: 7 Renamed: 0 Deleted: 0 Not cleaned: 0 Submitted: 0 Files not scanned: C:\PAGEFILE.SYS C:\WINNT\SYSTEM32\CONFIG\DEFAULT C:\WINNT\SYSTEM32\CONFIG\SAM C:\WINNT\SYSTEM32\CONFIG\SECURITY C:\WINNT\SYSTEM32\CONFIG\SOFTWARE C:\WINNT\SYSTEM32\CONFIG\SYSTEM C:\OFFICESCAN\SUSPECT\MWSOEMON.EXE C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\ETILQS_HHRNNGNS791ZXZSB8S5P --------------------------------------------------------------------------------OptionsScanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics Link to post Share on other sites More sharing options...
Please Help Posted August 29, 2009 Author ID:116484 Share Posted August 29, 2009 Security Check report:Results of screen317's Security Check version 0.98.9 Windows 2000 Service Pack 4 `````````````````````````````` Antivirus/Firewall Check: Avira AntiVir Personal - Free Antivirus Trend Micro OfficeScan Client ZoneAlarm ZoneAlarm Spy Blocker Avira updated! `````````````````````````````` Anti-malware/Other Utilities Check: Ad-Aware ZoneAlarm Spy Blocker Malwarebytes' Anti-Malware HijackThis 2.0.2 Adobe Flash Player 10 Adobe Reader 7.0.9 Out of date Adobe Reader installed! `````````````````````````````` Process Check: objlist.exe by Laurent Ad-Aware AAWService.exe Ad-Aware AAWTray.exe is disabled! ``````````````````````````````DNS Vulnerability Check: nslookup.exe missing! GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log```````````Remaining issue:I cannot rename a folder in my C: drive. If I try to rename an existing folder or create a new one and name it, I get an "Error renaming File or Folder"Error reads:Cannot rename New Folder: There has been a sharing violation.The source or destination file may be in use.Any suggestions? Thanks. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 30, 2009 Staff ID:117035 Share Posted August 30, 2009 Hi,Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /uThis uninstalls all of ComboFix's components.Delete SecurityCheck.After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):Adobe Reader 7.0.9 Restart your computer.Get the latest version of Adobe Reader.Remaining issue:I cannot rename a folder in my C: drive. If I try to rename an existing folder or create a new one and name it, I get an "Error renaming File or Folder"Error reads:Cannot rename New Folder: There has been a sharing violation.The source or destination file may be in use.Any suggestions? Thanks.Give this a try:Go to Task Manager, and kill this task:explorer.exeBack in Task Manager, start a New Task, and type this in:explorer.exePress Enter (your Desktop should return now), and see if you still can't rename folders.-screen317 Link to post Share on other sites More sharing options...
Please Help Posted August 31, 2009 Author ID:117634 Share Posted August 31, 2009 Hi,Just a quick question before I uninstall ComboFix. Can I leave Combofix on my machine and run it periodically so it can find and get rid of other bad files?Thanks. Link to post Share on other sites More sharing options...
Staff screen317 Posted September 1, 2009 Staff ID:118347 Share Posted September 1, 2009 The short answer: no.ComboFix is a very dangerous tool when used unsupervised and is not meant to be run periodically as MBAM is.Plus, it would go out of date so quickly that your copy would quickly become obsolete. Link to post Share on other sites More sharing options...
Please Help Posted September 2, 2009 Author ID:118844 Share Posted September 2, 2009 Thanks for the info about Combofix. I uninstalled Combofix and deleted SecurityCheck and got the latest version of Adobe Reader.I deleted explorer.exe from task manager and started a new task. I still cannot rename folders in my C:, same error message.Also, even though I uninstalled Combofix, I still see a Combofix folder in my c:, should I delete that too?Thanks. Link to post Share on other sites More sharing options...
Staff screen317 Posted September 2, 2009 Staff ID:118906 Share Posted September 2, 2009 Yes delete that folder.Wait-- are you able to delete it?? Or does the same error get thrown up? Link to post Share on other sites More sharing options...
Please Help Posted September 2, 2009 Author ID:119246 Share Posted September 2, 2009 Hi,I was able to delete the Combofix folder with no error messages.Thanks. Link to post Share on other sites More sharing options...
Staff screen317 Posted September 3, 2009 Staff ID:119638 Share Posted September 3, 2009 Try Unlocking the folders and see if you are able to manipulate them now. Link to post Share on other sites More sharing options...
Please Help Posted September 3, 2009 Author ID:120148 Share Posted September 3, 2009 It worked! I had to choose a file that was connected to my c: only and not connected to any of the subdirectories in my c: I tested it, and now I am able to name and rename folders again!Thanks very much! Link to post Share on other sites More sharing options...
Staff screen317 Posted September 4, 2009 Staff ID:120322 Share Posted September 4, 2009 Great! Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE.6) Be sure to update your Antivirus and Antispyware programs often!Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?Safe surfing,-screen317 Link to post Share on other sites More sharing options...
Please Help Posted September 4, 2009 Author ID:120558 Share Posted September 4, 2009 One other thing... the problem seems to have returned.I turned on my computer today and tried again to rename the folder in c: and it did not work this time, even after using Unlocker again.I even Unlocked all which rebooted my computer and it didn't work. Then I tried to just unlock certain paths and it did not seem to work either, because they were still listed in the Unlocker window. Any other suggestions??Thanks. Link to post Share on other sites More sharing options...
Staff screen317 Posted September 5, 2009 Staff ID:120939 Share Posted September 5, 2009 Did you try to do exactly as you did before?It worked! I had to choose a file that was connected to my c: only and not connected to any of the subdirectories in my c:I tested it, and now I am able to name and rename folders again!Thanks very much!Do you need to be renaming folders on in the root of your C drive? Link to post Share on other sites More sharing options...
Please Help Posted September 6, 2009 Author ID:121764 Share Posted September 6, 2009 Hi,I did do exactly as before, but for some reason it does not seem to work any more.Could it be because of the residual effects of a virus or something, I use to be able to do it before.If there are no other suggestions, I could work around that issue.Thank you! Link to post Share on other sites More sharing options...
Staff screen317 Posted September 7, 2009 Staff ID:122144 Share Posted September 7, 2009 Hi,I did do exactly as before, but for some reason it does not seem to work any more.Could it be because of the residual effects of a virus or something, I use to be able to do it before.If there are no other suggestions, I could work around that issue.Thank you!That's one of the big problems nowadays with malware; the damage it leaves behind can be incredibly difficult to pinpoint.It very well could be a residual effect. Formatting your system would resolve that, but I'm not sure you would want to pursue that avenue (backing up your data first). Let me know if you are interested in doing that. Link to post Share on other sites More sharing options...
Please Help Posted September 8, 2009 Author ID:122864 Share Posted September 8, 2009 Hi,No, I think I will leave it for now and just work around that issue. The next time I format my system I will probably upgrade the operating system as well, maybe in a couple of months.I do feel better about my system now then I did a few weeks ago. Thanks for all your help. I really appreciate it! Link to post Share on other sites More sharing options...
Staff screen317 Posted September 8, 2009 Staff ID:123110 Share Posted September 8, 2009 Thanks for letting me know, and glad we could help.Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts