Jump to content

Spyware Guard 2008 - Removal help


dwisti

Recommended Posts

I have a similar problem as this fellow. My computer is infected with Spyware Guard 2008. I tried to install Malwarebytes' Anti-Malware v1.32. It seems Spyware Guard 2008 is blocking the mbam-setup.exe. I rebooted into safe mode and was able to install Malwarebytes' Anti-Malware by renaming mbam-setup.exe to just setup.exe. At the end, I was sure to place a checkmark next to the following:

Update Malwarebytes' Anti-Malware

Launch Malwarebytes' Anti-Malware

Then I clicked Finish but it seems Spyware Guard 2008 is blocking the execution of Anti-Malware. I have not tried to run HijckThis to create a log. I'm currently creating an image of the infected drive.

Any advice on my next step would be greatly appreciated.

David

Link to post
Share on other sites

  • Root Admin

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. As soon as it's done and the
    COPY
    button is available click on the
    COPY
    button.

  • DO NOT
    Click on the
    SCAN
    button.

  • This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.

  • Click OK and quit the GMER program.

Link to post
Share on other sites

Tried to run GMER.exe but it looks like Spyware Guard 2008 kills the task. I renamed the GMER.exe and was able to get it to run. I said no to the dialog,

WARNING !!!

GMER has found system modification, which might have been caused by ROOTKIT activity. Do you want to fully scan your system ?

Here's the log:

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-12 21:17:50

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

Code E161A2A8 ZwEnumerateKey

Code E165D4C0 ZwFlushInstructionCache

Code BACA3EAB pIofCallDriver

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

---- Threads - GMER 1.0.14 ----

Thread 4:156 BACA4D66

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\TDSSpqlt.sys (*** hidden *** ) [sYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites

  • Root Admin

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member
dwisti only

. If you are a lurker, do NOT try this on your system!

If you are not
dwisti
and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

STEP01

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP02

    Download and install
    CCleaner
  • CCleaner

  • Double-click on the downloaded file "ccsetup215.exe" and install the application.

  • Keep the default installation folder "C:\Program Files\CCleaner"

  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"

  • Click finish when done and close
    ALL PROGRAMS

  • Start the
    CCleaner
    program.

  • Click on
    Registry
    and
    Uncheck
    Registry Integrity so that it does not run

  • Click on
    Options
    -
    Advanced
    and
    Uncheck
    "Only delete files in Windows Temp folders older than 48 hours"

  • Click back to
    Cleaner
    and under SYSTEM uncheck the Memory Dumps and Windows Log Files

  • Click on
    Run Cleaner
    button on the bottom right side of the program.

  • Click OK to any prompts

STEP03

Disable your AntiVirus and AntiSpyware

applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

This should apply to AVG8:

To
disable the Resident Shield
, please:

open AVG User Interface

double-click on the Resident Shield

un-tick the option Resident Shield active

save the changes.

STEP04

Please download and run the following file to repair file and registry permissions

STEP05

  • Download
    FixPolicies.exe
    by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.

  • Click on Install. It will create a folder named FixPolicies on your desktop.

  • Open the FixPolicies folder.

  • Double click on
    Fix_policies.cmd
    to run it. Command Prompt will open and close quickly this is normal.

  • Reboot your computer after it runs

  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

  • Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.

STEP06

Download this INF repair file by MS-MVP Miekiemoes:
http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

Unzip the download. Open the folder
VArestorepolicies
and
Right-click
the file inside,
VArestorepolicies.INF
and choose
Install

STEP07

icon_arrow.gif

If you have a prior copy of Combofix, delete it now !

Download ComboFix from one of these locations, saving to DESKTOP:

* IMPORTANT !!! Save ComboFix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware
    applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.

  • If and only if you are prompted to download a new version of Combofix, reply NO .

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF

you should see a message like this:

Rookit_found.gif

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the
C:\ComboFix.txt
in your next reply.

-------------------------------------------------------

A caution -
Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

STEP08

IF

and only
IF
the Combofix has worked without exceptions, only then, do the following. IF it has exceptions, then please provide all details and put that in a reply pronto, and STOP, and await my reply.

Only if Combofix has a good finish:

I'm going to have you get and run a special tool. It will hopefully take out most remains of this beast. Keep in mind that not all files I list here will be found on your system; so do not be alarmed. This is a general-type list of typical infectors.

Download
The Avenger
by Swandog46 from
here
.
  • Unzip/extract it to a folder on your desktop.
  • Double click on
    avenger.exe
    to run
    The Avenger
    .

  • Click
    OK
    .

  • Make sure that the box next to
    Scan for rootkits
    has a tick in it and that the box next to
    Automatically disable any rootkits found
    does
    not
    have a tick in it.

  • Copy
    all
    of the text in the below textbox to the clibpboard by highlighting it and then pressing
    Ctrl+C
    .

    Files to delete:

    C:\WINDOWS\system32\brsvc01a.exe

    C:\WINDOWS\system32\brss01a.exe

    C:\WINDOWS\SYSTEM32\TDSSixgp.dll

    C:\WINDOWS\SYSTEM32\TDSSproc.log

    C:\WINDOWS\SYSTEM32\TDSSwkod.log

    C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp

    c:\windows\system32\drivers\msqpdxserv.sys

    C:\resycled

    D:\resycled

    e:\resycled

    f:\resycled

    g:\resycled

    c:\windows\system32\TDSSweat.dat

    C:\WINDOWS\system32\drivers\TDSSmqlt.sys

    C:\windows\system32\drivers\tdssserv.sys

    C:\WINDOWS\system32\drivers\TDSSmact.sys

    C:\WINDOWS\system32\TDSSfpmp.dll

    C:\WINDOWS\system32\TDSSwpyd.dat

    C:\WINDOWS\system32\TDSStkdv.log

    C:\WINDOWS\system32\TDSSotxb.dll

    C:\WINDOWS\system32\TDSScrrn.dll

    C:\WINDOWS\system32\TDSSbvqh.dll

    C:\WINDOWS\system32\TDSSjnmx.dll

    c:\windows\system32\TDSShrxr.dll

    c:\windows\system32\TDSSkkbi.log

    c:\windows\system32\TDSSlrvd.dat

    c:\windows\system32\TDSSlxwp.dll

    c:\windows\system32\TDSSnmxh.log

    c:\windows\system32\TDSSoiqt.dll

    c:\windows\system32\TDSSrhyp.log

    c:\windows\system32\TDSSrtqp.dll

    c:\windows\system32\TDSSsihc.dll

    c:\windows\system32\TDSSxfum.dll

    c:\windows\system32\TDSSmtve.dat

    c:\windows\system32\TDSSnirj.dat


    Drivers to delete:

    tdss

    tdssserv

    TDSSserv.SYS

    Service_TDSSSERV.SYS

    Legacy_TDSSSERV.SYS

    msqpdxserv.sys

    msqpdxserv


    Registry keys to delete:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

    HKEY_LOCAL_MACHINE\SOFTWARE\tdss

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV


  • In the avenger window, click the
    Paste Script from Clipboard
    icon,
    pastets4.png
    button.

  • :!:
    Make sure that what appears in Avenger
    matches exactly
    what you were asked to Copy/Paste from the Code box above.

  • Click the
    Execute
    button.

  • You will be asked
    Are you sure you want to execute the current script?
    .

  • Click
    Yes
    .

  • You will now be asked
    First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
    .

  • Click
    Yes
    .

  • Your PC will now be rebooted.

  • Note:
    If the above script contains Drivers to delete: or Drivers to disable:, then
    The Avenger
    will require two reboots to complete its operation.

  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.

  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of
    c:\avenger.txt
    into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

STEP09

Download DDS and save it to your desktop from one of these 3 locations

1
http://www.techsupportforum.com/sectools/sUBs/dds

2
http://download.bleepingcomputer.com/sUBs/dds.scr

3
http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click
dds.scr
to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]
    Save both reports to your desktop.

Please include the following logs in your next reply:

DDS.txt

Attach.txt

Please then reply with a copy of
C:\Combofix.txt
,
C:\Avenger.txt
, and a new
HijackThis

RE-Enable your AntiVirus and AntiSpyware

applications.
Link to post
Share on other sites

Got to step 7. Ran combofix.exe. Microsoft Recovery Console was not installed. I connected the Ethernet for internet but I must have click ok to install too quickly. The install of Microsoft Recovery Console failed with an error dialog.

Wrote down this message and click ok to reboot.

ComboFix has detected the presence of rootkit activity and needs to reboot the machine

Kindly not down on paper, the name if each file. We may need it later

C:\WINDOWS\system32\drivers\TDSSpqlt.sys

C:\WINDOWS\system32\TDSSoiqt.dll

C:\WINDOWS\system32\TDSSmtvd.dat

C:\WINDOWS\system32\TDSShrxr.dll

C:\WINDOWS\system32\TDSSmtql.dll

C:\WINDOWS\system32\TDSSxfum.dll

C:\WINDOWS\system32\TDSSlxwp.dll

C:\WINDOWS\system32\TDSSkkbi.log

C:\WINDOWS\system32\TDSSnmxh.log

C:\WINDOWS\system32\TDSSsahc.dll

C:\WINDOWS\system32\TDSSrhyp.log

Once I turned on the computer again. It started running combofix again automatically. It's on the dialog box to install recovery console. Not sure what I should do next. Waiting reply...

Link to post
Share on other sites

If it can install the Recovery Console please let it. IF not then go ahead and proceed and let it run and it should be able to remove that infection.

Then we'll run some scans to ensure it was removed.

Tried to install Recovery Console but it failed again. Combofix did its thing, log is attached. The Spyware Guard 2009 program is on the desktop so I'm not sure if we got everything. Funny, the title bar in the start menu says Spyware Guard 2008 but the GUI title is now 2009. I'm stopping here and awaiting further instructions.

ComboFix 09-01-10.01 - dwisti 2009-01-13 8:49:36.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1375 [GMT -5:00]

Running from: c:\documents and settings\dwisti.PROG\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll

c:\documents and settings\All Users\Application Data\Microsoft\Protect\svhost.exe

c:\documents and settings\All Users\Application Data\svhost.exe

c:\program files\Microsoft Common

c:\program files\Microsoft Common\svchost.exe

c:\windows\IE4 Error Log.txt

c:\windows\reged.exe

c:\windows\spoolsystem.exe

c:\windows\sys.com

c:\windows\syscert.exe

c:\windows\sysexplorer.exe

c:\windows\system32\drivers\TDSSpqlt.sys

c:\windows\system32\java2.sys c:\windows\system32\snjava.dll

c:\windows\system32\TDSShrxr.dll

c:\windows\system32\TDSSkkbi.log

c:\windows\system32\TDSSlxwp.dll

c:\windows\system32\TDSSmtql.dll

c:\windows\system32\TDSSmtvd.dat

c:\windows\system32\TDSSnmxh.log

c:\windows\system32\TDSSoiqt.dll

c:\windows\system32\TDSSrhyp.log

c:\windows\system32\TDSSsahc.dll

c:\windows\system32\TDSSxfum.dll

c:\windows\system32\winscenter.exe

c:\windows\vmreg.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_TDSSserv.sys

-------\Legacy_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))

.

2009-01-12 21:52 . 2009-01-12 21:52 <DIR> d-------- c:\program files\CCleaner

2009-01-12 13:31 . 2009-01-12 13:31 <DIR> dr-h----- C:\VProRecovery

2009-01-12 12:05 . 2009-01-12 12:05 <DIR> d-------- c:\documents and settings\dwisti\Application Data\Subversion

2009-01-12 11:42 . 2009-01-12 11:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-12 11:42 . 2009-01-12 11:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-12 11:42 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-12 11:42 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-12 10:17 . 2009-01-12 10:17 <DIR> d-------- c:\program files\Spyware Guard 2009

2009-01-10 20:10 . 2009-01-10 20:10 <DIR> d-------- c:\documents and settings\dwisti.PROG\Application Data\Download Manager

2009-01-09 12:48 . 2009-01-09 12:48 <DIR> d-------- c:\documents and settings\dwisti.PROG\Application Data\ImgBurn

2009-01-09 12:45 . 2009-01-09 12:45 <DIR> d-------- c:\program files\ImgBurn

2009-01-06 12:40 . 2009-01-06 12:40 4,785 --a------ C:\bng01.cfg.bak

2009-01-06 12:40 . 2009-01-06 12:40 4,785 --a------ C:\bng01.cfg

2008-12-25 17:39 . 2008-12-25 18:02 <DIR> d-------- c:\documents and settings\dwisti.PROG\Application Data\dvdcss

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-13 14:05 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware

2009-01-13 14:05 --------- d-----w c:\documents and settings\All Users\Application Data\VMware

2009-01-13 03:32 --------- d-----w c:\documents and settings\dwisti.PROG\Application Data\Skype

2009-01-13 02:26 --------- d-----w c:\documents and settings\dwisti.PROG\Application Data\skypePM

2009-01-12 02:49 --------- d-----w c:\documents and settings\dwisti.PROG\Application Data\VMware

2009-01-09 16:31 --------- d-----w c:\program files\Mozilla Thunderbird

2009-01-09 15:20 --------- d-----w c:\program files\Beyond Compare 3

2009-01-05 14:41 349 ----a-w C:\mountusr.cmd

2008-12-12 17:40 --------- d-----w c:\documents and settings\dwisti.PROG\Application Data\vlc

2008-12-12 17:34 --------- d-----w c:\program files\VideoLAN

2008-12-12 14:19 --------- d-----w c:\program files\Xvid

2008-12-12 13:58 --------- d-----w c:\program files\GBA Media

2008-12-11 06:45 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-12-09 15:10 --------- d-----w c:\documents and settings\dwisti.I2SNET\Application Data\Infineon

2008-12-08 18:17 --------- d-----w c:\program files\LinkMaster

2008-12-08 15:43 --------- d-----w c:\program files\KEPServerEx

2008-11-18 12:13 --------- d-----w c:\program files\SBLManager

2008-11-17 21:29 --------- d-----w c:\program files\InteractX

2008-06-13 13:30 88,761 ----a-w c:\windows\inf\pxiclean.exe

2004-03-15 21:51 114,688 ----a-w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll

2003-05-01 13:36 114,688 ----a-w c:\program files\internet explorer\plugins\LV7ActiveXControl.dll

2006-01-23 14:32 131,072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll

2007-02-08 14:48 133,920 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll

2007-07-24 22:03 118,784 ----a-w c:\program files\internet explorer\plugins\LV85ActiveXControl.dll

2008-06-26 02:51 118,784 ----a-w c:\program files\internet explorer\plugins\LV86ActiveXControl.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]

@="{C5994560-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]

2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]

@="{C5994561-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]

2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]

@="{C5994562-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]

2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]

@="{C5994563-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]

2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]

@="{C5994564-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]

2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]

@="{C5994565-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]

2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]

@="{C5994566-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]

2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]

@="{C5994567-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]

2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]

@="{C5994568-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]

2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-12 21741864]

"Google Update"="c:\documents and settings\dwisti.PROG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-15 133104]

"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2008-02-29 4670704]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-06 344064]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

"IfxSecurePlatformIndication"="c:\program files\Broadcom\Security Platform Software\SpTNA.exe" [2005-03-11 114688]

"PSDruntime"="c:\program files\Broadcom\Security Platform Software\PSDrt.EXE" [2005-03-11 81920]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"Symantec Backup Exec System Recovery 8.0"="c:\program files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe" [2008-08-12 2245984]

"spywareguard"="c:\program files\Spyware Guard 2009\spywareguard.exe" [2009-01-12 1025536]

c:\documents and settings\dwisti.PROG\Start Menu\Programs\Startup\

Shortcut to mountusr.cmd.lnk - C:\mountusr.cmd [2008-09-12 349]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PSDNtfy]

2005-03-11 09:43 45056 c:\program files\Broadcom\Security Platform Software\PSDNtfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]

2005-03-11 10:05 360448 c:\windows\system32\IfxWlxEN.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\National Instruments\\LabVIEW 8.5\\LabVIEW.exe"=

"c:\\Program Files\\National Instruments\\Shared\\mDNS Responder\\nimdnsResponder.exe"=

"c:\\Program Files\\KEPServerEx\\ServerMain.exe"=

"c:\\jobs\\r+d05\\RTImage\\builds\\Replication\\RT Image\\RT Image.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2007-07-10 15448]

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-03-11 29283]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2008-09-12 88192]

R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2008-06-13 11360]

R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [2008-06-13 11360]

R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [2007-12-18 11360]

R3 SymSnapService;SymSnapService;c:\program files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe [2008-01-30 1558000]

R4 Backup Exec System Recovery;Backup Exec System Recovery;c:\program files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe [2008-02-02 4314464]

R4 DriverX;DriverX;c:\windows\system32\drivers\Driverx.sys [2008-09-13 54112]

R4 LoggingService;Proficy Log Server;c:\program files\GE Fanuc\Proficy Machine Edition\Proficy Event Logger\LoggingService.exe [2008-04-01 143360]

R4 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [2007-02-16 12696]

R4 niarbk;niarbk;c:\windows\system32\drivers\niarbk.dll [2007-04-16 37376]

R4 nibffrk;nibffrk;c:\windows\system32\drivers\nibffrk.dll [2007-04-16 21504]

R4 Nidaq32k;Nidaq32k;c:\windows\system32\drivers\nidaq32k.sys [2007-04-16 674304]

R4 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2007-02-16 12696]

R4 nidmmk;NI DMM and Data Logger Kernel Driver;c:\windows\system32\drivers\nidmmk.dll [2007-04-16 50688]

R4 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe [2008-06-20 129144]

R4 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [2008-06-18 192112]

R4 nimdsk;nimdsk;c:\windows\system32\drivers\nimdsk.dll [2007-04-16 30208]

R4 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2007-09-18 11552]

R4 nistck;nistck;c:\windows\system32\drivers\niSTCk.dll [2007-04-16 111616]

R4 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2008-06-20 11360]

R4 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2008-04-14 5120]

R4 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-09-11 54960]

R4 VMwareHostd;VMware Host Agent;c:\program files\VMware\VMware Server\vmware-hostd.exe [2008-09-11 322096]

R4 VMwareServerWebAccess;VMware Server Web Access;c:\program files\VMware\VMware Server\tomcat\bin\tomcat6.exe [2008-09-11 57344]

R4 WebDriveFSD;WebDrive Filesystem Driver;c:\program files\WebDrive\wdfsd.sys [2008-04-16 182528]

S3 DS2490;DS2490 (USB Host for 1-Wire Network);c:\windows\system32\drivers\DS2490.sys [2005-08-25 58852]

S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [2007-12-20 20056]

S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2007-10-08 25888]

S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2007-10-08 11552]

S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [2007-10-08 22360]

S3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [2007-02-26 16672]

S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [2007-12-26 11352]

S3 nicsrk;nicsrk;c:\windows\system32\drivers\nicsrkl.sys [2008-02-22 11336]

S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [2007-12-18 11336]

S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [2008-02-29 11344]

S3 nidwgk;nidwgk;c:\windows\system32\drivers\nidwgkl.sys [2007-10-09 11360]

S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [2008-02-22 11336]

S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [2008-02-22 11336]

S3 nifslk;nifslk;c:\windows\system32\drivers\nifslkl.sys [2007-12-26 11352]

S3 nigplk;nigplk;c:\windows\system32\drivers\nigplkl.sys [2008-06-16 11640]

S3 nihsdrk;nihsdrk;c:\windows\system32\drivers\nihsdrkl.sys [2008-06-15 11352]

S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [2008-01-11 11392]

S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [2007-06-24 14464]

S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [2007-06-24 151683]

S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [2007-12-18 11368]

S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [2007-12-27 11360]

S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2008-06-13 11904]

S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2008-06-13 11896]

S3 nipsdk;nipsdk;c:\windows\system32\drivers\nipsdkl.sys [2008-06-02 11392]

S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2007-11-26 20768]

S3 nirfsa2k;nirfsa2k;c:\windows\system32\drivers\niRFSA2kl.sys [2008-05-27 11328]

S3 NiRioRpc;National Instruments RIO Server;c:\windows\system32\NiRioRpc.exe [2008-06-26 27720]

S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [2008-01-07 11376]

S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [2008-01-07 11352]

S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [2007-12-20 11344]

S3 nisldk;nisldk;c:\windows\system32\drivers\nisldkl.sys [2008-06-02 11344]

S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [2008-01-07 11376]

S3 nisrcdk;nisrcdk;c:\windows\system32\drivers\nisrcdkl.sys [2008-05-27 11352]

S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [2008-02-22 11336]

S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [2008-01-07 11312]

S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [2008-02-14 11360]

S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [2008-01-02 11336]

S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [2008-02-19 11360]

S3 nitnr2k;nitnr2k;c:\windows\system32\drivers\nitnr2kl.sys [2007-12-01 11328]

S3 niufurk;niufurk;c:\windows\system32\drivers\niufurkl.sys [2008-02-22 11368]

S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2008-06-20 11384]

S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2008-06-20 11360]

S3 niwdk;niwdk;c:\windows\system32\drivers\niwdk.sys [2008-05-22 27744]

S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [2008-02-22 11336]

S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [2008-02-22 11336]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]

S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys --> c:\windows\system32\drivers\usb6xxxkl.sys [?]

S3 vmwriter;VMware VSS Writer;c:\program files\VMware\VMware Server\vmVssWriter.exe [2008-09-11 29744]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NIPALK

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e781930-e0c6-11dd-82e0-005056c00008}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe

\Shell\Explore\command - E:\system.exe

\Shell\Open\command - E:\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d7d2af0-84ac-11dd-b03b-0012f074cd30}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe

\Shell\Explore\command - F:\system.exe

\Shell\Open\command - F:\system.exe

.

Contents of the 'Scheduled Tasks' folder

2009-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2683735972-3053652185-2674876239-1114.job

- c:\documents and settings\dwisti.PROG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-15 11:08]

.

- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{04466240-beb3-11d1-be1c-00aa006b77f4} - wdShellExt.dll

ShellIconOverlayIdentifiers-{37D70BD3-073C-4180-ADD9-C032EA5A7204} - wdShellExt.dll

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://ql/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

LSP: c:\program files\VMware\VMware Server\vsocklib.dll

c:\windows\Downloaded Program Files\Manager.exe - c:\windows\Downloaded Program Files\DownloadManagerV2.ocx

O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}

hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab

c:\windows\Downloaded Program Files\DownloadManagerV2.inf

FF - ProfilePath -

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-13 09:07:51

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1088)

c:\windows\system32\VMGINA.DLL

c:\windows\system32\Ati2evxx.dll

c:\program files\Broadcom\Security Platform Software\PSDNtfy.dll

c:\windows\system32\IfxWlxEN.dll

c:\windows\system32\wdnp32.dll

c:\windows\system32\wdHelper.dll

c:\windows\system32\wdUIResDll.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\windows\system32\scardsvr.exe

c:\program files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe

c:\windows\system32\Crypserv.exe

c:\windows\system32\IFXSPMGT.exe

c:\windows\system32\IFXTCS.exe

c:\windows\Intellution\iLicenseSvc.exe

c:\windows\system32\lkads.exe

c:\windows\system32\lktsrv.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\National Instruments\MAX\nimxs.exe

c:\program files\National Instruments\Shared\Security\nidmsrv.exe

c:\windows\system32\nisvcloc.exe

c:\program files\National Instruments\Shared\Tagger\tagsrv.exe

c:\program files\Broadcom\Security Platform Software\PSDsrvc.EXE

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\vmnat.exe

c:\program files\WebDrive\wdService.exe

c:\program files\VMware\VMware Server\vmware-authd.exe

c:\windows\system32\vmnetdhcp.exe

c:\windows\system32\msdtc.exe

c:\windows\system32\ati2evxx.exe

c:\program files\TortoiseSVN\bin\TSVNCache.exe

c:\program files\Apoint\hidfind.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2009-01-13 9:13:03 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-13 14:12:58

Pre-Run: 60,758,106,112 bytes free

Post-Run: 60,766,523,392 bytes free

322 --- E O F --- 2008-12-30 00:42:27

Link to post
Share on other sites

  • Root Admin

Go to to Start > Run

Type in box

combofix /u

Note: the space between the X and the /u

That will remove ComboFix. Then run the following.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.32

Database version: 1648

Windows 5.1.2600 Service Pack 3

2009-01-13 17:49:02

mbam-log-2009-01-13 (17-49-02).txt

Scan type: Quick Scan

Objects scanned: 63004

Time elapsed: 3 minute(s), 40 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 10

Memory Processes Infected:

C:\Program Files\Spyware Guard 2009\spywareguard.exe (Rogue.SpywareGuard) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{d87848ca-21fd-4dae-ba4b-29bfac013b3b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spywareguard (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\Spyware Guard 2009 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2009\quarantine (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Documents and Settings\dwisti.PROG\Start Menu\Programs\Spyware Guard 2009 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\Spyware Guard 2009\conf.cfg (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2009\mbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2009\quarantine.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2009\queue.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2009\spywareguard.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2009\uninstall.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Program Files\Spyware Guard 2009\vbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Documents and Settings\dwisti.PROG\Start Menu\Programs\Spyware Guard 2009\Spyware Guard 2009.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\utbjywiinr.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:58, on 2009-01-13

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe

C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\system32\IFXSPMGT.exe

C:\WINDOWS\system32\IFXTCS.exe

C:\WINDOWS\Intellution\iLicenseSvc.exe

C:\WINDOWS\system32\lkads.exe

C:\WINDOWS\system32\lktsrv.exe

C:\Program Files\GE Fanuc\Proficy Machine Edition\Proficy Event Logger\LoggingService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\National Instruments\MAX\nimxs.exe

C:\WINDOWS\system32\nipalsm.exe

C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

C:\WINDOWS\system32\nisvcloc.exe

C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\vmnat.exe

C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe

C:\Program Files\WebDrive\wdService.exe

C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe

C:\WINDOWS\system32\nipalsm.exe

C:\Program Files\VMware\VMware Server\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe

C:\Program Files\VMware\VMware Server\vmware-hostd.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe

C:\Documents and Settings\dwisti.PROG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ql/

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [ifxSecurePlatformIndication] C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe

O4 - HKLM\..\Run: [PSDruntime] C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [symantec Backup Exec System Recovery 8.0] "C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\dwisti.PROG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Shortcut to mountusr.cmd.lnk = C:\mountusr.cmd

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\national instruments\shared\mdns responder\nimdnsnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware server\vsocklib.dll

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware server\vsocklib.dll

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prog.i2snet.com

O17 - HKLM\Software\..\Telephony: DomainName = prog.i2snet.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prog.i2snet.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prog.i2snet.com

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: PSDNtfy - C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Backup Exec System Recovery - Symantec Corporation - C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe

O23 - Service: Proficy Licensing (CCFLIC0) - GE Fanuc Automation - C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe

O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe

O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe

O23 - Service: M1 Licensing Helper (iLicenseSvc) - GE Fanuc Automation Americas, Inc. - C:\WINDOWS\Intellution\iLicenseSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe

O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe

O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe

O23 - Service: Proficy Log Server (LoggingService) - Unknown owner - C:\Program Files\GE Fanuc\Proficy Machine Edition\Proficy Event Logger\LoggingService.exe

O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe

O23 - Service: NI-488.2 Enumeration Service (ni488enumsvc) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe

O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe

O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe

O23 - Service: National Instruments LXI Discovery Service (niLXIDiscovery) - National Instruments Corporation - C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe

O23 - Service: National Instruments mDNS Responder Service (nimDNSResponder) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe

O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe

O23 - Service: National Instruments RIO Server (NiRioRpc) - National Instruments Corporation - C:\WINDOWS\system32\NiRioRpc.exe

O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corporation - C:\WINDOWS\system32\nisvcloc.exe

O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SymSnapService - Symantec - C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

O23 - Service: VMware Host Agent (VMwareHostd) - Unknown owner - C:\Program Files\VMware\VMware Server\vmware-hostd.exe

O23 - Service: VMware Server Web Access (VMwareServerWebAccess) - Apache Software Foundation - C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe

O23 - Service: VMware VSS Writer (vmwriter) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmVssWriter.exe

O23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 11421 bytes

Link to post
Share on other sites

  • Root Admin

Okay please run one more round of updates and scans and let me know how the computer is running now.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.32

Database version: 1648

Windows 5.1.2600 Service Pack 3

2009-01-13 18:14:06

mbam-log-2009-01-13 (18-14-06).txt

Scan type: Quick Scan

Objects scanned: 62724

Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:18, on 2009-01-13

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe

C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\system32\IFXSPMGT.exe

C:\WINDOWS\system32\IFXTCS.exe

C:\WINDOWS\Intellution\iLicenseSvc.exe

C:\WINDOWS\system32\lkcitdl.exe

C:\WINDOWS\system32\lkads.exe

C:\WINDOWS\system32\lktsrv.exe

C:\Program Files\GE Fanuc\Proficy Machine Edition\Proficy Event Logger\LoggingService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\National Instruments\MAX\nimxs.exe

C:\WINDOWS\system32\nipalsm.exe

C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\nisvcloc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\vmnat.exe

C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\WebDrive\wdService.exe

C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe

C:\WINDOWS\system32\nipalsm.exe

C:\Program Files\VMware\VMware Server\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe

C:\Program Files\VMware\VMware Server\vmware-hostd.exe

C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Documents and Settings\dwisti.PROG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ql/

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [ifxSecurePlatformIndication] C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe

O4 - HKLM\..\Run: [PSDruntime] C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [symantec Backup Exec System Recovery 8.0] "C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\dwisti.PROG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Shortcut to mountusr.cmd.lnk = C:\mountusr.cmd

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\national instruments\shared\mdns responder\nimdnsnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware server\vsocklib.dll

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware server\vsocklib.dll

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prog.i2snet.com

O17 - HKLM\Software\..\Telephony: DomainName = prog.i2snet.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prog.i2snet.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prog.i2snet.com

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: PSDNtfy - C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Backup Exec System Recovery - Symantec Corporation - C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe

O23 - Service: Proficy Licensing (CCFLIC0) - GE Fanuc Automation - C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe

O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe

O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe

O23 - Service: M1 Licensing Helper (iLicenseSvc) - GE Fanuc Automation Americas, Inc. - C:\WINDOWS\Intellution\iLicenseSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe

O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe

O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe

O23 - Service: Proficy Log Server (LoggingService) - Unknown owner - C:\Program Files\GE Fanuc\Proficy Machine Edition\Proficy Event Logger\LoggingService.exe

O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe

O23 - Service: NI-488.2 Enumeration Service (ni488enumsvc) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe

O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe

O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe

O23 - Service: National Instruments LXI Discovery Service (niLXIDiscovery) - National Instruments Corporation - C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe

O23 - Service: National Instruments mDNS Responder Service (nimDNSResponder) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe

O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe

O23 - Service: National Instruments RIO Server (NiRioRpc) - National Instruments Corporation - C:\WINDOWS\system32\NiRioRpc.exe

O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corporation - C:\WINDOWS\system32\nisvcloc.exe

O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SymSnapService - Symantec - C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

O23 - Service: VMware Host Agent (VMwareHostd) - Unknown owner - C:\Program Files\VMware\VMware Server\vmware-hostd.exe

O23 - Service: VMware Server Web Access (VMwareServerWebAccess) - Apache Software Foundation - C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe

O23 - Service: VMware VSS Writer (vmwriter) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmVssWriter.exe

O23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 11580 bytes

Link to post
Share on other sites

  • Root Admin

Well the current logs seem to be clear now, Avira is a pretty goood Free Anti-Virus.

Make sure you install some Anti-Virus and do a Full Scan because AV software is a lot different than Anti-Malware and it scans many other locations and for virus as well. Yes having the Recovery Console installed is a good idea in case it's ever needed.

Based on current logs and no indication of infections I'll leave you with this then.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy

Download it from
here
. Just choose a mirror and off you go.

Find here the tutorial on how to use Spybot properly
here

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.