Jump to content

MBAM Freeze--Following up


snorlax

Recommended Posts

Good Morning...

I posted yesterday in another part of this forum that MBAM was freezing, during a COMPLETE scan, on the file

C:\Windows\ServicePackFiles\i386\mouse_c.htm .

An admin, Yardbird, suggested that I follow up here with a HJT log and an MBAM log.

As to removing anti-virus, my employer put Symantec on this computer & I cannot remove it

HJT gives the following:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:53:14 AM, on 9/21/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Equitrac\Express\Client\EQSharedEngine.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\OCS Inventory Agent\ocsservice.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Symantec AntiVirus\DoScan.exe

C:\Program Files\Bradford Networks\Persistent Agent\bncsaui.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garritan.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu

O17 - HKLM\Software\..\Telephony: DomainName = fcnt.franklincollege.edu

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bradford Persistent Agent Service (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Express\Client\EQSharedEngine.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://www.ocsinventory-ng.org - C:\Program Files\OCS Inventory Agent\ocsservice.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--

End of file - 11319 bytes

================================================================================

A QUICK scan with MBAM yielded this logfile. The window said that there were three issues--the Microsoft Security was disabled, which I assume is OK since I had other anti-spyware and anti-virus running. Here's the logfile, which does not show those three findings:

ALSO:The program showed that it scanned more files than the 6240 shown in the logfile, and the scan took a few minutes, not 30 seconds.

Malwarebytes' Anti-Malware 1.41

Database version: 2832

Windows 5.1.2600 Service Pack 3

9/21/2009 7:59:35 AM

mbam-log-2009-09-21 (07-59-35).txt

Scan type: Quick Scan

Objects scanned: 6240

Time elapsed: 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Thank you in advance for looking at this info...

Jim W.

Link to post
Share on other sites

  • Root Admin

Well since this is a work computer that you don't have FULL control of then I'm not sure we'll be able to assist you or not.

Please run the following scanner if you can and we'll take a look.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Let's try splitting it up...

OK...here we go...

Process was not perfect, but eventually ok...

turned off Symantec AV by stopping the process in services.msc

Disabled Spybot S&D and PCTOOLS spyware doctor.

Ran Combo-Fix.

Combo-Fix gave me an error "some files are corrupt, download again"

I went to safe mode to see what would happen

Reran Combo-Fix.

Same message.

Turned on internet connection & re-downloaded combofix; saved per instructions.

Still in safe mode, ran combofix...Combo-Fix.txt follows...

==============================================================================

ComboFix 09-09-30.06 - Jwilliams 10/01/2009 10:42.1.1 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1696 [GMT -4:00]

Running from: c:\documents and settings\jwilliams\Desktop\Combo-Fix.exe

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\jwilliams\Application Data\Microsoft\Internet Explorer\Quick Launch\wrar351.exe

c:\windows\AUTOLNCH.REG

c:\windows\Installer\126b8f7.msi

c:\windows\Installer\126b8fd.msi

c:\windows\Installer\126b903.msi

c:\windows\Installer\42ee2.msi

c:\windows\Installer\46186.msp

----- BITS: Possible infected sites -----

hxxp://app-sus.fcnt.franklincollege.edu

.

((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))

.

2009-09-28 00:53 . 2009-09-28 00:53 -------- d-----w- c:\program files\CCleaner

2009-09-21 12:28 . 2009-09-21 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

2009-09-21 12:28 . 2009-09-21 12:28 -------- d-----w- c:\documents and settings\jwilliams\Local Settings\Application Data\VMware

2009-09-21 12:28 . 2009-09-21 12:28 -------- d-----w- c:\program files\VMware

2009-09-21 11:52 . 2009-09-21 11:52 -------- d-----w- c:\program files\Trend Micro

2009-09-11 23:13 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2009-09-11 23:13 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

2009-09-09 12:13 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-01 14:17 . 2009-03-01 07:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-01 14:16 . 2008-10-07 18:52 -------- d-----w- c:\program files\OCS Inventory Agent

2009-10-01 14:15 . 2006-10-30 14:20 -------- d-----w- c:\program files\Symantec AntiVirus

2009-09-30 12:31 . 2009-07-19 15:04 -------- d-----w- c:\program files\Spyware Doctor

2009-09-30 01:19 . 2008-03-17 14:31 -------- d-----w- c:\documents and settings\jwilliams\Application Data\Garritan

2009-09-29 04:10 . 2007-07-09 20:13 -------- d-----w- c:\documents and settings\jwilliams\Application Data\Skype

2009-09-29 04:02 . 2007-12-31 22:56 -------- d-----w- c:\documents and settings\jwilliams\Application Data\skypePM

2009-09-28 00:58 . 2009-03-01 06:30 -------- d-----w- c:\program files\Ccy HaHaZip v31

2009-09-19 01:13 . 2007-08-09 22:31 -------- d-----w- c:\documents and settings\jwilliams\Application Data\McGraw-HillLicensing

2009-09-12 03:50 . 2009-07-04 00:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-10 18:54 . 2009-07-04 00:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2009-07-04 00:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-10 12:43 . 2009-04-07 13:12 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-09 12:44 . 2007-05-07 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-02 21:15 . 2006-10-30 17:53 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-02 20:13 . 2006-10-30 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-01 11:05 . 2009-09-01 11:05 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-09-01 11:05 . 2009-07-19 15:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-08-27 17:32 . 2009-08-27 17:32 -------- d-----w- c:\program files\Bradford Networks

2009-08-26 15:46 . 2007-06-25 22:00 -------- d-----w- c:\program files\Garritan

2009-08-20 03:48 . 2009-08-20 03:48 -------- d-----w- c:\program files\Muspub5

2009-08-19 17:39 . 2009-05-29 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\DragAndRun

2009-08-06 23:24 . 2006-10-16 16:55 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 23:24 . 2006-10-16 16:55 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 23:24 . 2006-10-16 16:55 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 23:24 . 2006-05-09 14:50 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 23:24 . 2006-10-16 16:55 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-06 23:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 23:23 . 2006-10-16 16:55 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 23:23 . 2006-10-16 16:55 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 21:03 . 2009-08-05 21:03 -------- d-----w- c:\program files\Zoopysoft

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 22:11 . 2006-10-30 17:45 -------- d-----w- c:\program files\Java

2009-07-25 09:23 . 2008-12-01 14:52 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 11:16 . 2009-07-16 11:16 687104 ----a-w- c:\windows\is-AS9E7.exe

2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-12 15:07 . 2007-06-25 15:07 194776 ----a-w- c:\documents and settings\jwilliams\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2007-10-22 23:09 . 2007-10-22 23:09 604 ---ha-w- c:\program files\STLL Notifier

2003-08-27 18:19 . 2007-06-28 05:19 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll

2009-06-18 17:16 . 2009-06-18 17:16 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll

2009-06-18 17:36 . 2009-06-18 17:36 108272 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

2007-08-05 22:18 . 2007-08-05 19:27 608 --sha-w- c:\windows\system32\winzvprt5.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-13 102400]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-13 684032]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]

"bncsaui.exe"="c:\program files\Bradford Networks\Persistent Agent\bncsaui.exe" [2009-02-04 2612960]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk

backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"HControl"=c:\windows\ATK0100\HControl.exe

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe"

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide

"SAMSUNG Keydefine"=c:\program files\SAMSUNG\Keydefine\KeyDefin.exe

"SM1BG"=c:\windows\SM1BG.EXE

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AllAlertsDisabled"=dword:00000001

"TermService"=dword:00000001

"DisableMonitoring"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_3_0.EXE"=

"c:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\McGraw-Hill\\MH_EZTest\\mysql\\bin\\mysqld.exe"=

"c:\\McGraw-Hill\\MH_EZTest\\jre\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/19/2009 11:05 AM 206256]

S0 R592;R592;c:\windows\system32\drivers\R592.sys [10/16/2006 2:01 PM 57088]

S2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2/4/2009 9:33 AM 2944736]

S2 EQSharedEngine;EQ Shared Engine;c:\program files\Equitrac\Express\Client\EQSharedEngine.exe [2/19/2007 3:44 PM 1521192]

S2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [4/16/2009 10:24 AM 69632]

S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 2:40 AM 115952]

S2 wsnm;VMware View Client Service;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [1/16/2009 6:29 AM 147456]

S3 echondgo;Indigo Service;c:\windows\system32\drivers\echondgo.sys [6/25/2007 4:02 PM 132992]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 12:04 AM 102448]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/19/2009 11:04 AM 348752]

S3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [11/5/2007 9:05 PM 951284]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.garritan.com/

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: garritan.biz\www

Trusted Zone: yellowtools.us\www

DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxps://app-view.franklincollege.edu/downloads/VMware-viewclient.cab

.

- - - - ORPHANS REMOVED - - - -

AddRemove-__ARIA_2001___is1 - e:\garritan_world_instruments_beta1\World Instruments\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-01 10:47

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2114926708-1884511829-1243820751-1149\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{31931AEE-F56E-318D-9727-D76C76F84D41}*]

"mapfacekemhmdokkecddmkcpla"=hex:6f,61,6f,6c,6a,62,6b,62,6d,6c,62,6c,6b,63,67,

66,70,6f,67,62,63,6c,6b,63,66,67,6b,67,63,6e,00,ff

"abcgllipdlckbobddfpdlpignmlfjcmlon"=hex:6d,61,6b,66,68,6e,6f,6e,65,6a,65,64,

68,63,69,67,67,62,6d,6b,66,61,67,69,6f,69,00,ff

[HKEY_LOCAL_MACHINE\software\Classes\CakewalkPlugIns\

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:25:36 AM, on 10/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Equitrac\Express\Client\EQSharedEngine.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\OCS Inventory Agent\ocsservice.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Bradford Networks\Persistent Agent\bncsaui.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garritan.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} (VMware_VDM_Client Class) - https://app-view.franklincollege.edu/downlo...-viewclient.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu

O17 - HKLM\Software\..\Telephony: DomainName = fcnt.franklincollege.edu

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fcnt.franklincollege.edu

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bradford Persistent Agent Service (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Express\Client\EQSharedEngine.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://www.ocsinventory-ng.org - C:\Program Files\OCS Inventory Agent\ocsservice.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

O23 - Service: VMware View Client Service (wsnm) - VMware, Inc. - C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe

--

End of file - 11164 bytes

Link to post
Share on other sites

This should precede the HJT file:

Got out of safe mode, booted into normal windows, restarted symantec AV service and PCTOOLS Spyware doctor (but not spybot S&D),

re-esatblished internet connectio.

At this point I ranSpyware Doctor--it caught one instance of something so I quarantined it.

Then I ran HJT

Here is latest HJT log:

Link to post
Share on other sites

COMPLETE RESPONSE: FORUM OBJECTED TO SOME NAMES IN OTHER POST & WOULD NOT ACCEPT RESPONSE:

OK...here we go...

Process was not perfect, but eventually ok...

turned off Symantec AV by stopping the process in services.msc

Disabled Spybot S&D and PCTOOLS spyware doctor.

Ran Combo-Fix.

Combo-Fix gave me an error "some files are corrupt, download again"

I went to safe mode to see what would happen

Reran Combo-Fix.

Same message.

Turned on internet connection & re-downloaded combofix; saved per instructions.

Still in safe mode, ran combofix...Combo-Fix.txt follows...

==============================================================================

ComboFix 09-09-30.06 - Jwilliams 10/01/2009 10:42.1.1 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1696 [GMT -4:00]

Running from: c:\documents and settings\jwilliams\Desktop\Combo-Fix.exe

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\jwilliams\Application Data\Microsoft\Internet Explorer\Quick Launch\wrar351.exe

c:\windows\AUTOLNCH.REG

c:\windows\Installer\126b8f7.msi

c:\windows\Installer\126b8fd.msi

c:\windows\Installer\126b903.msi

c:\windows\Installer\42ee2.msi

c:\windows\Installer\46186.msp

----- BITS: Possible infected sites -----

hxxp://app-sus.fcnt.franklincollege.edu

.

((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))

.

2009-09-28 00:53 . 2009-09-28 00:53 -------- d-----w- c:\program files\CCleaner

2009-09-21 12:28 . 2009-09-21 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

2009-09-21 12:28 . 2009-09-21 12:28 -------- d-----w- c:\documents and settings\jwilliams\Local Settings\Application Data\VMware

2009-09-21 12:28 . 2009-09-21 12:28 -------- d-----w- c:\program files\VMware

2009-09-21 11:52 . 2009-09-21 11:52 -------- d-----w- c:\program files\Trend Micro

2009-09-11 23:13 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2009-09-11 23:13 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

2009-09-09 12:13 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-01 14:17 . 2009-03-01 07:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-01 14:16 . 2008-10-07 18:52 -------- d-----w- c:\program files\OCS Inventory Agent

2009-10-01 14:15 . 2006-10-30 14:20 -------- d-----w- c:\program files\Symantec AntiVirus

2009-09-30 12:31 . 2009-07-19 15:04 -------- d-----w- c:\program files\Spyware Doctor

2009-09-30 01:19 . 2008-03-17 14:31 -------- d-----w- c:\documents and settings\jwilliams\Application Data\Garritan

2009-09-29 04:10 . 2007-07-09 20:13 -------- d-----w- c:\documents and settings\jwilliams\Application Data\Skype

2009-09-29 04:02 . 2007-12-31 22:56 -------- d-----w- c:\documents and settings\jwilliams\Application Data\skypePM

2009-09-28 00:58 . 2009-03-01 06:30 -------- d-----w- c:\program files\Ccy HaHaZip v31

2009-09-19 01:13 . 2007-08-09 22:31 -------- d-----w- c:\documents and settings\jwilliams\Application Data\McGraw-HillLicensing

2009-09-12 03:50 . 2009-07-04 00:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-10 18:54 . 2009-07-04 00:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2009-07-04 00:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-10 12:43 . 2009-04-07 13:12 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-09 12:44 . 2007-05-07 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-02 21:15 . 2006-10-30 17:53 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-02 20:13 . 2006-10-30 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-01 11:05 . 2009-09-01 11:05 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-09-01 11:05 . 2009-07-19 15:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-08-27 17:32 . 2009-08-27 17:32 -------- d-----w- c:\program files\Bradford Networks

2009-08-26 15:46 . 2007-06-25 22:00 -------- d-----w- c:\program files\Garritan

2009-08-20 03:48 . 2009-08-20 03:48 -------- d-----w- c:\program files\Muspub5

2009-08-19 17:39 . 2009-05-29 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\DragAndRun

2009-08-06 23:24 . 2006-10-16 16:55 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 23:24 . 2006-10-16 16:55 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 23:24 . 2006-10-16 16:55 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 23:24 . 2006-05-09 14:50 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 23:24 . 2006-10-16 16:55 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-06 23:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 23:23 . 2006-10-16 16:55 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 23:23 . 2006-10-16 16:55 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 21:03 . 2009-08-05 21:03 -------- d-----w- c:\program files\Zoopysoft

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 22:11 . 2006-10-30 17:45 -------- d-----w- c:\program files\Java

2009-07-25 09:23 . 2008-12-01 14:52 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 11:16 . 2009-07-16 11:16 687104 ----a-w- c:\windows\is-AS9E7.exe

2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-12 15:07 . 2007-06-25 15:07 194776 ----a-w- c:\documents and settings\jwilliams\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2007-10-22 23:09 . 2007-10-22 23:09 604 ---ha-w- c:\program files\STLL Notifier

2003-08-27 18:19 . 2007-06-28 05:19 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll

2009-06-18 17:16 . 2009-06-18 17:16 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll

2009-06-18 17:36 . 2009-06-18 17:36 108272 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

2007-08-05 22:18 . 2007-08-05 19:27 608 --sha-w- c:\windows\system32\winzvprt5.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-13 102400]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-13 684032]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]

"bncsaui.exe"="c:\program files\Bradford Networks\Persistent Agent\bncsaui.exe" [2009-02-04 2612960]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk

backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"HControl"=c:\windows\ATK0100\HControl.exe

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe"

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide

"SAMSUNG Keydefine"=c:\program files\SAMSUNG\Keydefine\KeyDefin.exe

"SM1BG"=c:\windows\SM1BG.EXE

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AllAlertsDisabled"=dword:00000001

"TermService"=dword:00000001

"DisableMonitoring"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_3_0.EXE"=

"c:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\McGraw-Hill\\MH_EZTest\\mysql\\bin\\mysqld.exe"=

"c:\\McGraw-Hill\\MH_EZTest\\jre\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/19/2009 11:05 AM 206256]

S0 R592;R592;c:\windows\system32\drivers\R592.sys [10/16/2006 2:01 PM 57088]

S2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2/4/2009 9:33 AM 2944736]

S2 EQSharedEngine;EQ Shared Engine;c:\program files\Equitrac\Express\Client\EQSharedEngine.exe [2/19/2007 3:44 PM 1521192]

S2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [4/16/2009 10:24 AM 69632]

S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 2:40 AM 115952]

S2 wsnm;VMware View Client Service;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [1/16/2009 6:29 AM 147456]

S3 echondgo;Indigo Service;c:\windows\system32\drivers\echondgo.sys [6/25/2007 4:02 PM 132992]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 12:04 AM 102448]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/19/2009 11:04 AM 348752]

S3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [11/5/2007 9:05 PM 951284]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.garritan.com/

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: garritan.biz\www

Trusted Zone: yellowtools.us\www

DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxps://app-view.franklincollege.edu/downloads/VMware-viewclient.cab

.

- - - - ORPHANS REMOVED - - - -

AddRemove-__ARIA_2001___is1 - e:\garritan_world_instruments_beta1\World Instruments\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-01 10:47

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2114926708-1884511829-1243820751-1149\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{31931AEE-F56E-318D-9727-D76C76F84D41}*]

"mapfacekemhmdokkecddmkcpla"=hex:6f,61,6f,6c,6a,62,6b,62,6d,6c,62,6c,6b,63,67,

66,70,6f,67,62,63,6c,6b,63,66,67,6b,67,63,6e,00,ff

"abcgllipdlckbobddfpdlpignmlfjcmlon"=hex:6d,61,6b,66,68,6e,6f,6e,65,6a,65,64,

68,63,69,67,67,62,6d,6b,66,61,67,69,6f,69,00,ff

[HKEY_LOCAL_MACHINE\software\Classes\CakewalkPlugIns\

Link to post
Share on other sites

Hi...

I must have done something bad here...

Combofix said it needed to load Windows recovery console, so I let it.

Now when I boot up, I am asked if I want to boot to Windows recovery console or directly to XP.

What can I do to undo this?

What did I do to make it do that?

Thanx

Link to post
Share on other sites

  • Root Admin

It installed the Recovery Console on purpose and will automatically time out to normal Windows boot.

Okay well you've got a major issue here. You can only have one Anti-Virus product installed at a time as they will cause conflicts with each other.

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

This file here is a bit odd and I could not find conclusive data to say if it was good or bad but based on it's location I would say it's bad.

2007-08-05 22:18 . 2007-08-05 19:27 608 --sha-w- c:\windows\system32\winzvprt5.sys

If you look here: BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk *

Something is preventing CHKDSK the Disk Check from running when you reboot.

/P \??\Volume: Schedules an unconditional Chkdsk against the volume.

If you really want to find out what the issue and problems are with MBAM locking up then I think we need to remove some stuff and isolate the cause.

This takes some time and you can't just instantly re-install the software because you think it's okay or not the issue.

I really don't have enough time to do this because I'm going out of town tomorrow afternoon for the weekend.

If it were my machine here is what I would do.

Uninstall all of the following

1. All Anti-Virus

2. Disable and move this file until you know for sure if it's safe or not. c:\windows\system32\winzvprt5.sys

3. Uninstall the Acronis software

4. Uninstall Spyware Doctor

5. Remove all Toolbars

6. Rollback to IE7 for now

7. Start a DOS prompt and run CHKDSK C: /F and reboot and make sure that Disk Check runs. With all this other software removed it should run.

If it's still not running then you need to find out why. It could also be an old Chipset driver or something like that.

Is this computer running ON VMware or it has VMware installed?

Link to post
Share on other sites

Ron,

Hope you had a nice weekend...I did ;-)

I think the best thing for me to do here is to take the computer to my IT dep't and heve them reimage it.

I'll do that within the next couple days.

Before I end this thread, though, I do have a few questions.

In NO way are these questions intended to doubt anyone's or anything's skill. I am just seeking to LEARN here.

1. I have heard conflicting advice on this matter...what is your advice? I value it. I have Symantec AV, provided by my employer, with resident protection. I also have PCTOOLS withOUT Anti-Virus but WITH the "intelli-scan" function activated. I also have Spybot S&D with resident protection. I have picked up from you and several people here that the resident parts may conflict. Am I harming myself here?

2. When MBAM freezes while scanning file X, can that indicate a problem in some other file Y? Does MBAM's freezing always indicate a problem with the computer somewhere? Does it always imply the existence of malware somewhere on the computer?

3. ZVPRT5 is a print driver from zan1011.com . Since you recommend its removal, I will remove it, but I scanned it with all my other tools and it seems to be 100% benign.

4. IMPORTANT: Combo-Fix seems to have left behind some stuff I need to deal with...I was able to stop the computer from booting into the menu making me choose between recovery console and regular XP. But there are two directories or so left behind that I don't know what to do with, and Pctools finds 106 registry entries that ComboFix seems to have left behind. Can I delete those directories and those 106 registry entries? It calls them "Application NirCmd," which I understand to mean that these are probably helpful items, placed by a friendly program, that could be malicious if placed by an UNfriendly source.

5. IMPORTANT: There is a folder called QOOBOX which seems to contain some things that have been quarantined by ComboFix. Correct? One item I noticed was WRAR351.exe. As far as I can tell, this is innocuous. I googled it and it seems that some programs flag it as an FP. What's in this QOOBOX folder? Can I kill it?

6. Here is text from a file called ComboFix-Quarantined-files.txt in that folder

2009-10-01 14:48:12 . 2009-10-01 14:48:12 2,198 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-__ARIA_2001___is1.reg.dat

2009-10-01 14:45:13 . 2009-10-01 14:45:13 12,974 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2009-10-01 14:37:21 . 2009-10-01 14:37:21 51 ----a-w- C:\Qoobox\Quarantine\catchme.log

2007-11-24 23:22:03 . 2007-11-24 23:22:03 1,214,464 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\42ee2.msi.vir

2007-11-13 23:39:28 . 2007-11-13 23:39:28 631,808 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\126b903.msi.vir

2007-11-13 23:39:11 . 2007-11-13 23:39:11 623,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\126b8fd.msi.vir

2007-11-13 23:38:56 . 2007-11-13 23:38:56 1,214,464 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\126b8f7.msi.vir

2007-07-02 18:53:11 . 2009-07-08 21:22:04 1,080 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\AUTOLNCH.REG.vir

2007-06-26 05:48:32 . 2005-11-17 20:48:04 1,014,477 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\jwilliams\Application Data\Microsoft\Internet Explorer\Quick Launch\wrar351.exe.vir

2006-10-16 18:20:28 . 2009-10-01 14:08:35 5,417 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir

2006-10-16 18:20:28 . 2009-10-01 14:08:35 5,417 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir

2005-08-08 18:25:44 . 2005-08-08 18:25:44 97,385,984 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\46186.msp.vir

Are all these items malware/viruses? Can I delete the QOOBOX folder

Again, I am NOT questioning or doubting anyone or anything. I am only trying to learn. I'd appreciate your answers.

With appreciation,

Jim W.

Link to post
Share on other sites

  • Root Admin

1. A lot depends on how the driver and process is implemented. I've not run this particular implementation myself so I can't speak directly to it.

Basically what happens is this as an example:

You're browsing a Website and then maybe some link or script attempts to download Malware onto your system.

A. Symantec AV kicks in and attempts to manage the threat

B. PCTOOLS also kick in and attempts to manage the threat

C. Spybot S&D also kick in and attempts to manage the threat

D. If you're using MBAM Protection Module then it also kicks in and attempts to manage the threat

So you now have potentially 4 products attempting to stop this infection. In a rare case it might be possible for one of these products to see the other one also attempting to intercept this threat and it "might" block the other tool which then often causes a freezing issue.

In such a case even if it did not lock the box completely it's possible that in so doing maybe the threat was able to bypass the protection and get started installing.

Another scenario is that maybe due to conflict the threat is only partially stopped, or maybe not detected at all because of conflicts.

It's also quite possible that they will operate in harmony with each other, but experience for most users indicates this is often not the case.

Long story short... it's best not to have multiple programs running in live continuous protection mode unless you're will to take the time and effort required to ensure that it does not conflict.

2. There are reported files that have in the past caused reading issues for the program. We have updated the program to attempt to prevent this from happening but it's possible that you have some file or setting or other software on the system that we're just not aware of that is causing this.

3. I did not recommend that you remove it. I asked that you check it more and verify as I was not sure what it was.

Moving or renaming it until you know for sure if it was safe or not.

4. Please run the following to remove any tools that might have been used during the scanning and cleaning of your system.

STEP A

Uninstall ComboFix.exe

  • Click
    START
    then
    RUN

  • Now type
    Combofix /u
    (if you renamed Combofix.exe use that name instead)
    in the runbox and click OK. Note the
    space
    between the
    X
    and the
    /U
    , it needs to be there.

  • CF_Cleanup.png


  • When shown the disclaimer, Select "2"

Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe AND check your system time and reset if needed

5. See solution for #4

6. See solution for #4

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is

:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Link to post
Share on other sites

Many thanks for your kind and patient answers, Ron

As you can see, I am a bit spooked and frazzled by all this malware stuff...though I am backed up.

About the zvprt file...actually, I just moved it to a cd with a few other things and can put it back...I figured I'd just move it off for a while as all this was going on.

Again, thanks.

Jim W.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.