GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Unknown possible malware removal help

View previous topic View next topic Go down

Unknown possible malware removal help

Post by LordHelmut on Mon Aug 17, 2009 7:15 pm

This is on a Dell Latitude D410.

The only real symptoms is that the computer is extremely slow--reading a basic email in Lotus Notes takes a LONG time to even become visible, where it is unresponsive until it finally decides to load.

I don't know any other symptoms, other than it is slow and hangs. The end user does some demanding things and can't tolerate the slowdown any longer. I ran antivirus tools and found nothing, ran Spybot S&D and found maybe a couple items that weren't all that nefarious and Adaware doesn't seem to want to load at all.

Below is the HiJack This results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:44 PM, on 8/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\lotus\notes\nsd.exe
C:\Program Files\lotus\notes\nslsvice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Multi-Tech Systems\FaxFinder Client Software\FF110Client.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = [You must be registered and logged in to see this link.]
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CardScanAgent] "C:\Program Files\CardScan\CardScan\CardScanAgent.exe"

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Mon Aug 17, 2009 7:15 pm

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: FaxFinder Client Software.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Similar Pages - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.airborne.com (HKLM)
O15 - Trusted Zone: *.asbnow.com (HKLM)
O15 - Trusted Zone: *.atitech.com (HKLM)
O15 - Trusted Zone: *.beechstreet.com (HKLM)
O15 - Trusted Zone: *.cnn.com (HKLM)
O15 - Trusted Zone: *.dell.com (HKLM)
O15 - Trusted Zone: *.dnb.com (HKLM)
O15 - Trusted Zone: *.federalexpress.com (HKLM)
O15 - Trusted Zone: *.fedex.com (HKLM)
O15 - Trusted Zone: *.hotmail.com (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: *.manulife401k.com (HKLM)
O15 - Trusted Zone: *.mapquest.com (HKLM)
O15 - Trusted Zone: *.msn.com (HKLM)
O15 - Trusted Zone: *.netscape.com (HKLM)
O15 - Trusted Zone: *.nvidia.com (HKLM)
O15 - Trusted Zone: *.nytimes.com (HKLM)
O15 - Trusted Zone: *.passport.net (HKLM)
O15 - Trusted Zone: *.quicken.com (HKLM)
O15 - Trusted Zone: *.shoppinghp.com (HKLM)
O15 - Trusted Zone: *.superpages.com (HKLM)
O15 - Trusted Zone: *.techni-tool.com (HKLM)
O15 - Trusted Zone: *.ups.com (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: *.visionresearch.com (HKLM)
O15 - Trusted Zone: *.visionresearch.net (HKLM)
O15 - Trusted Zone: *.vriwayne01.local (HKLM)
O15 - Trusted Zone: *.wellchoicenj.com (HKLM)
O15 - Trusted IP range: 192.168.10.100 (HKLM)
O15 - Trusted IP range: 10.1.2.2 (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vriwayne01.local
O17 - HKLM\Software\..\Telephony: DomainName = vriwayne01.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vriwayne01.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Diagnostics - IBM - C:\Program Files\lotus\notes\nsd.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 15673 bytes

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by Belahzur on Mon Aug 17, 2009 9:46 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Tue Aug 18, 2009 4:06 pm

Malwarebytes' Anti-Malware 1.40
Database version: 2649
Windows 5.1.2600 Service Pack 3

8/18/2009 11:50:30 AM
mbam-log-2009-08-18 (11-50-30).txt

Scan type: Quick Scan
Objects scanned: 136722
Time elapsed: 18 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avpa (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Tue Aug 18, 2009 4:08 pm

I had to reboot the machine, but the enduser went to lunch and he didn't give me the correct password, so i am not sure if his computer is faster.

All I have to say is, when I ran hijack this yesterday i used my local admin account on it, which was fairly speedy enough, but his account is very very slow to do anything.

i ran this program from his account this time, however.

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by Belahzur on Tue Aug 18, 2009 8:33 pm

Hello.
Is the Hijack This log taken from the very slow account too?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Tue Aug 18, 2009 10:47 pm

Unfortunately no, that was taken from my "Backdoor" account, which forced his account to log off when I logged in as admin. I can run that first thing tomorrow am.

I dunno, I didn't try much using my account, but it did seem somewhat faster. I don't think this gentleman is doing anything out there, just reading email, using word, and he says it takes forever.

I haven't verified the specs on it recently, so I am not sure of the memory. He said its been slow for some time now, he did notice much more spam recently in his inbox, but no random popups.

The machine isn't that old, but I dunno at this point.

Perhaps it isn't spyware?

Though, it certainly behaves like it is!

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by Origin on Wed Aug 19, 2009 12:24 am

We are going to have to do some things in safe mode:

Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do the following instructions:

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3
Points : 31453
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Wed Aug 19, 2009 1:39 pm

I shall try this, but I will be unable to disable antivirus as it is controlled through the domain in whihc I have no access to disable. It is the corporate version of Symantec Antivirus. Will this be a problem?

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Wed Aug 19, 2009 4:48 pm

I ran it, went to like step 50, rebooted, took 10x slower and the program thatloaded after rebooting just stopped responding and crashed. No log file was created. Dunno, it seems slower now, but the owner said boot up takes about 30 min.

I saw a lot of action however after step 50, there is a combo-fix folder but no log file. It is still booting when I left the office.

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by Belahzur on Wed Aug 19, 2009 7:15 pm

Hello.
If the machine is infected, were gonna need someone with admin powers, because Symantec will tear Combofix apart because some of it's components are flagged are RiskWare or HackTool, both of which are false positives.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Wed Aug 19, 2009 7:19 pm

I have local admin, not domain admin. I will ask the super-admin (my boss, I am jr it-admin) for those privelages. i will get back to you and i will rerun the tool?

note due to the computer beinf very very slow to boot (the gentleman says it takes 30 min for all of the startup processes to finally complete), so the combo thin upon reboot could had just hung as it took too long??

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by Belahzur on Wed Aug 19, 2009 7:41 pm

Try it from safe mode if normal mode is too slow.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Wed Aug 19, 2009 8:25 pm

Well the problem is when it finished, it rebooted, so you are saying when it reboots, go back into safe mode?

Since it already made changes from the first time, will those changes been logged? There is no log file right now in C:\.

Also, I got him out of the forced a/v group (turns out i had the ability i just discovered), so in 20 min when he leaves for the day i will run it again.

THen I will also run hijack this again for you io you want me to, shoul;d that be in safe or normal mode?

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by Belahzur on Wed Aug 19, 2009 8:48 pm

When it reboot, make it go back to safe mode by pressing F8 when it's rebooting.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Wed Aug 19, 2009 9:22 pm

ComboFix 09-08-18.04 - rrobinson 08/19/2009 16:55:39.2.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.755 [GMT -4:00]
Running from: C:\Documents and Settings\rrobinson\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\Installer\19f5997.msp
C:\WINDOWS\Installer\2ccc52.msp
C:\WINDOWS\Installer\8722e8.msp
C:\WINDOWS\system32\2\BiCMonNT.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\Ijl11.dll
C:\WINDOWS\system32\LexLog.dll

Infected copy of C:\WINDOWS\system32\mspmsnsv.dll was found and disinfected
Restored copy from - C:\WINDOWS\system32\dllcache\mspmsnsv.dll

Infected copy of C:\WINDOWS\system32\mspmsnsv.dll was found and disinfected
Restored copy from - C:\WINDOWS\system32\dllcache\mspmsnsv.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 17:35:34 . 2009-08-18 08:00:00 1647984 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2607.vdb\NAVEX32A.DLL
2009-08-19 17:35:33 . 2009-08-18 08:00:00 84912 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2607.vdb\NAVENG.SYS
2009-08-19 17:35:33 . 2009-08-18 08:00:00 177520 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2607.vdb\NAVENG32.DLL
2009-08-19 17:35:33 . 2009-08-18 08:00:00 1323696 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2607.vdb\NAVEX15.SYS
2009-08-19 17:35:28 . 2009-07-01 02:39:21 371248 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2607.vdb\EECTRL.SYS
2009-08-19 17:35:28 . 2009-07-01 02:39:21 101936 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2607.vdb\ERASER.SYS
2009-08-19 17:35:27 . 2009-08-18 08:00:00 259440 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2607.vdb\ECMSVR32.DLL
2009-08-19 17:35:25 . 2009-07-01 02:39:21 2414128 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2607.vdb\CCERASER.DLL
2009-08-19 17:28:11 . 2009-08-18 08:00:00 1647984 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2614.vdb\NAVEX32A.DLL
2009-08-19 17:28:10 . 2009-08-18 08:00:00 1323696 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2614.vdb\NAVEX15.SYS
2009-08-19 17:28:09 . 2009-08-18 08:00:00 84912 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2614.vdb\NAVENG.SYS
2009-08-19 17:28:09 . 2009-08-18 08:00:00 177520 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2614.vdb\NAVENG32.DLL
2009-08-19 17:28:02 . 2009-07-01 02:39:21 101936 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2614.vdb\ERASER.SYS
2009-08-19 17:28:01 . 2009-07-01 02:39:21 371248 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2614.vdb\EECTRL.SYS
2009-08-19 17:28:00 . 2009-08-18 08:00:00 259440 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2614.vdb\ECMSVR32.DLL
2009-08-19 17:27:57 . 2009-07-01 02:39:21 2414128 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2614.vdb\CCERASER.DLL
2009-08-19 16:30:03 . 2009-08-18 08:00:00 1647984 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2608.vdb\NAVEX32A.DLL
2009-08-19 16:30:02 . 2009-08-18 08:00:00 84912 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2608.vdb\NAVENG.SYS
2009-08-19 16:30:02 . 2009-08-18 08:00:00 177520 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2608.vdb\NAVENG32.DLL
2009-08-19 16:30:02 . 2009-08-18 08:00:00 1323696 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2608.vdb\NAVEX15.SYS
2009-08-19 16:29:54 . 2009-07-01 02:39:21 371248 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2608.vdb\EECTRL.SYS
2009-08-19 16:29:54 . 2009-07-01 02:39:21 101936 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2608.vdb\ERASER.SYS
2009-08-19 16:29:53 . 2009-08-18 08:00:00 259440 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2608.vdb\ECMSVR32.DLL
2009-08-19 16:29:50 . 2009-07-01 02:39:21 2414128 ----a-w- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2608.vdb\CCERASER.DLL
2009-08-19 13:15:34 . 2009-08-19 14:20:57 0 d-----w- C:\Documents and Settings\rrobinson\Application Data\FileZilla
2009-08-19 13:15:06 . 2009-08-19 13:15:20 0 d-----w- C:\Program Files\FileZilla FTP Client
2009-08-18 15:29:41 . 2009-08-18 15:29:41 0 d-----w- C:\Documents and Settings\rrobinson\Application Data\Malwarebytes
2009-08-18 15:29:21 . 2009-08-03 17:36:28 38160 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-08-18 15:29:19 . 2009-08-18 15:29:19 0 d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-18 15:29:19 . 2009-08-03 17:36:06 19096 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2009-08-18 15:29:18 . 2009-08-18 15:29:34 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-17 16:56:21 . 2009-08-17 16:56:21 0 d-----w- C:\Program Files\Trend Micro
2009-08-17 16:47:55 . 2009-07-03 14:49:08 64160 ----a-w- C:\WINDOWS\system32\drivers\Lbd.sys
2009-08-17 16:44:11 . 2009-08-17 16:44:13 0 dc-h--w- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-17 16:44:11 . 2009-07-08 17:28:49 2920112 -c--a-w- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-17 16:43:52 . 2009-08-17 16:43:52 0 d-----w- C:\Program Files\Lavasoft
2009-08-17 16:43:52 . 2009-08-17 16:43:52 0 d-----w- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-08-17 15:38:35 . 2009-08-17 16:07:30 0 d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-17 15:38:35 . 2009-08-17 15:43:32 0 d-----w- C:\Program Files\Spybot - Search & Destroy
2009-08-17 15:13:58 . 2009-08-17 15:13:58 0 d-sh--w- C:\Documents and Settings\Administrator\IETldCache
2009-08-12 14:05:45 . 2009-06-12 12:31:40 80896 -c----w- C:\WINDOWS\system32\dllcache\tlntsess.exe
2009-08-12 14:05:44 . 2009-06-12 12:31:39 76288 -c----w- C:\WINDOWS\system32\dllcache\telnet.exe
2009-08-12 14:05:41 . 2009-06-10 06:14:49 132096 -c----w- C:\WINDOWS\system32\dllcache\wkssvc.dll
2009-08-12 14:05:40 . 2009-06-10 14:13:29 84992 -c----w- C:\WINDOWS\system32\dllcache\avifil32.dll
2009-08-12 14:05:11 . 2009-07-17 19:01:06 58880 -c----w- C:\WINDOWS\system32\dllcache\atl.dll
2009-08-12 14:04:56 . 2009-07-10 13:27:49 1315328 -c----w- C:\WINDOWS\system32\dllcache\msoe.dll
2009-08-12 14:04:16 . 2009-08-05 09:01:48 204800 -c----w- C:\WINDOWS\system32\dllcache\mswebdvd.dll
2009-08-12 14:03:44 . 2009-06-24 11:18:41 92928 -c----w- C:\WINDOWS\system32\dllcache\ksecdd.sys
2009-08-12 14:03:43 . 2009-06-25 08:25:26 54272 -c----w- C:\WINDOWS\system32\dllcache\wdigest.dll
2009-08-12 14:03:43 . 2009-06-25 08:25:26 136192 -c----w- C:\WINDOWS\system32\dllcache\msv1_0.dll
2009-08-12 14:03:42 . 2009-06-25 08:25:26 301568 -c----w- C:\WINDOWS\system32\dllcache\kerberos.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 20:50:09 . 2006-04-13 19:21:47 0 d-----w- C:\Program Files\Symantec AntiVirus
2009-08-19 20:49:35 . 2006-08-23 19:14:22 0 d-----w- C:\Documents and Settings\rrobinson\Application Data\FaxFinder Client Software
2009-08-19 16:51:52 . 2008-05-30 13:32:29 0 d-----w- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-08-17 20:41:24 . 2008-04-16 17:44:31 0 d-----w- C:\Documents and Settings\Administrator\Application Data\FaxFinder Client Software
2009-08-17 15:14:39 . 2008-04-16 17:44:23 70264 ----a-w- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01:48 . 2004-08-04 12:00:00 204800 ----a-w- C:\WINDOWS\system32\mswebdvd.dll
2009-08-03 19:09:02 . 2007-01-19 18:39:52 0 d-----w- C:\Program Files\Phantom
2009-07-17 19:01:06 . 2004-08-04 12:00:00 58880 ----a-w- C:\WINDOWS\system32\atl.dll
2009-07-14 03:43:24 . 2004-08-04 12:00:00 286208 ----a-w- C:\WINDOWS\system32\wmpdxm.dll
2009-07-03 17:09:28 . 2004-08-04 12:00:00 915456 ----a-w- C:\WINDOWS\system32\wininet.dll
2009-07-01 14:01:29 . 2007-07-12 14:50:51 0 d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2009-06-25 08:25:26 . 2004-08-04 12:00:00 730112 ----a-w- C:\WINDOWS\system32\lsasrv.dll
2009-06-25 08:25:26 . 2004-08-04 12:00:00 56832 ----a-w- C:\WINDOWS\system32\secur32.dll
2009-06-25 08:25:26 . 2004-08-04 12:00:00 54272 ----a-w- C:\WINDOWS\system32\wdigest.dll
2009-06-25 08:25:26 . 2004-08-04 12:00:00 301568 ----a-w- C:\WINDOWS\system32\kerberos.dll
2009-06-25 08:25:26 . 2004-08-04 12:00:00 147456 ----a-w- C:\WINDOWS\system32\schannel.dll
2009-06-25 08:25:26 . 2004-08-04 12:00:00 136192 ----a-w- C:\WINDOWS\system32\msv1_0.dll
2009-06-24 11:18:41 . 2004-08-04 12:00:00 92928 ----a-w- C:\WINDOWS\system32\drivers\ksecdd.sys
2009-06-16 14:36:30 . 2004-08-04 12:00:00 81920 ----a-w- C:\WINDOWS\system32\fontsub.dll
2009-06-16 14:36:30 . 2004-08-04 12:00:00 119808 ----a-w- C:\WINDOWS\system32\t2embed.dll
2009-06-12 12:31:40 . 2004-08-04 12:00:00 80896 ----a-w- C:\WINDOWS\system32\tlntsess.exe
2009-06-12 12:31:39 . 2004-08-04 12:00:00 76288 ----a-w- C:\WINDOWS\system32\telnet.exe
2009-06-10 14:13:29 . 2004-08-04 12:00:00 84992 ----a-w- C:\WINDOWS\system32\avifil32.dll
2009-06-10 13:19:38 . 2004-08-11 22:11:27 2066432 ----a-w- C:\WINDOWS\system32\mstscax.dll
2009-06-10 06:14:49 . 2004-08-04 12:00:00 132096 ----a-w- C:\WINDOWS\system32\wkssvc.dll
2009-06-03 19:09:37 . 2004-08-04 12:00:00 1291264 ----a-w- C:\WINDOWS\system32\quartz.dll
2007-07-28 15:01:48 . 2007-07-28 15:01:18 15364 ---ha-w- C:\Program Files\.DS_Store
2006-05-08 19:43:11 . 2006-05-08 19:43:11 13383 ----a-w- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2006-05-08 19:43:12 . 2006-05-08 19:43:12 92231 ----a-w- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.

.

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Wed Aug 19, 2009 9:22 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2007-04-12 05:43:52 1661304]
"GoToMeeting"="C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe" [2008-08-01 18:12:06 31552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 11:13:38 176128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 08:10:54 49263]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 19:59:54 385024]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 15:44:40 839680]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 13:04:14 53248]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 06:01:00 110592]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-03 23:43:06 169472]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 06:05:00 127035]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 20:24:14 278528]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" [2002-12-17 20:43:00 61440]
"MediafourGettingStartedWithMacDrive6"="C:\Program Files\Mediafour\MacDrive\MacDrive.exe" [2004-08-26 18:12:01 86016]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 20:54:20 106496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 23:20:12 866584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 20:35:40 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 20:32:24 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 20:36:20 114688]
"CardScanAgent"="C:\Program Files\CardScan\CardScan\CardScanAgent.exe" [2006-10-20 13:33:46 176128]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 23:26:04 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-28 00:33:44 125168]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 14:50:30 413696]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 21:10:28 35696]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 03:24:02 620152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="C:\WINDOWS\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 19:36:48 13801]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 10:00:00 44544]
"TSClientAXDisabler"="C:\WINDOWS\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 00:43:10 2247]

C:\Documents and Settings\rrobinson\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-4-14 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
"HideShutdownscripts"= 1 (0x1)
"MaxGPOscriptWait"= 120 (0x78)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 19:39:22 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08:06 110592 ----a-w- C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-261478967-725345543-1241\scripts\Logon\0\0]
"script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-261478967-725345543-1678\scripts\Logon\0\0]
"script"=login.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"ose"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=
"C:\\Program Files\\Phantom\\Pim.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\lotus\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.200811140851\\win32\\x86\\notes2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [8/17/2009 12:47:55 PM 64160]
R2 WinDefend;Windows Defender;C:\Program Files\Windows Defender\MsMpEng.exe [11/3/2006 7:19:58 PM 13592]
S0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.SYS [4/30/2006 10:57:06 AM 16640]
S1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.SYS [9/13/2006 2:53:20 PM 213888]
S2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;C:\Program Files\lotus\notes\nsd.exe [12/6/2008 8:36:38 AM 3315080]
S2 SavRoam;SAVRoam;C:\Program Files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33:38 PM 116464]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [3/4/2009 12:24:30 PM 101936]
S3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\drivers\gtipci21.sys [4/3/2006 7:22:27 PM 88192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57:18 . 2008-04-11 21:57:18]

2009-08-19 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20:06 . 2006-11-03 23:20:06]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)
HKCU-Run-CardScan AutoSync - (no file)
SafeBoot-Lavasoft Ad-Aware Service


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;*.local
IE: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
IE: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: airborne.com
Trusted Zone: aol.com\login.oscar
Trusted Zone: asbnow.com
Trusted Zone: atitech.com
Trusted Zone: beechstreet.com
Trusted Zone: cnn.com
Trusted Zone: dell.com
Trusted Zone: dnb.com
Trusted Zone: federalexpress.com
Trusted Zone: fedex.com
Trusted Zone: google.com
Trusted Zone: hotmail.com
Trusted Zone: intranet
Trusted Zone: manulife401k.com
Trusted Zone: mapquest.com
Trusted Zone: microsoft.com
Trusted Zone: msn.com
Trusted Zone: netscape.com
Trusted Zone: nvidia.com
Trusted Zone: nytimes.com
Trusted Zone: passport.net
Trusted Zone: quicken.com
Trusted Zone: shoppinghp.com
Trusted Zone: superpages.com
Trusted Zone: techni-tool.com
Trusted Zone: ups.com
Trusted Zone: visibilesolutions.com\www
Trusted Zone: visionresearch.com
Trusted Zone: visionresearch.com\intranet
Trusted Zone: visionresearch.com\www
Trusted Zone: visionresearch.net
Trusted Zone: vriwayne01.local
Trusted Zone: wellchoicenj.com
Trusted Zone: yahoo.com
Trusted Zone: airborne.com
Trusted Zone: aol.com\login.oscar
Trusted Zone: asbnow.com
Trusted Zone: atitech.com
Trusted Zone: beechstreet.com
Trusted Zone: cnn.com
Trusted Zone: dell.com
Trusted Zone: dnb.com
Trusted Zone: federalexpress.com
Trusted Zone: fedex.com
Trusted Zone: google.com
Trusted Zone: hotmail.com
Trusted Zone: intranet
Trusted Zone: manulife401k.com
Trusted Zone: mapquest.com
Trusted Zone: microsoft.com
Trusted Zone: msn.com
Trusted Zone: netscape.com
Trusted Zone: nvidia.com
Trusted Zone: nytimes.com
Trusted Zone: passport.net
Trusted Zone: quicken.com
Trusted Zone: shoppinghp.com
Trusted Zone: superpages.com
Trusted Zone: techni-tool.com
Trusted Zone: ups.com
Trusted Zone: visibilesolutions.com\www
Trusted Zone: visionresearch.com
Trusted Zone: visionresearch.com\intranet
Trusted Zone: visionresearch.com\www
Trusted Zone: visionresearch.net
Trusted Zone: vriwayne01.local
Trusted Zone: wellchoicenj.com
Trusted Zone: yahoo.com
FF - ProfilePath - C:\Documents and Settings\rrobinson\Application Data\Mozilla\Firefox\Profiles\2udb5b7y.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.http - proxy
FF - prefs.js: network.proxy.http_port - 8090
FF - prefs.js: network.proxy.type - 2
FF - plugin: C:\Program Files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Wed Aug 19, 2009 9:23 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:11 PM, on 8/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\lotus\notes\nsd.exe
C:\Program Files\lotus\notes\nslsvice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CardScan\CardScan\CardScanAgent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Multi-Tech Systems\FaxFinder Client Software\FF110Client.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CardScanAgent] "C:\Program Files\CardScan\CardScan\CardScanAgent.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Wed Aug 19, 2009 9:23 pm

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: FaxFinder Client Software.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Append to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Similar Pages - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.airborne.com
O15 - Trusted Zone: *.asbnow.com
O15 - Trusted Zone: *.atitech.com
O15 - Trusted Zone: *.beechstreet.com
O15 - Trusted Zone: *.cnn.com
O15 - Trusted Zone: *.dell.com
O15 - Trusted Zone: *.dnb.com
O15 - Trusted Zone: *.federalexpress.com
O15 - Trusted Zone: *.fedex.com
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: *.manulife401k.com
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.netscape.com
O15 - Trusted Zone: *.nvidia.com
O15 - Trusted Zone: *.nytimes.com
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.quicken.com
O15 - Trusted Zone: *.shoppinghp.com
O15 - Trusted Zone: *.superpages.com
O15 - Trusted Zone: *.techni-tool.com
O15 - Trusted Zone: *.ups.com
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: *.visionresearch.com
O15 - Trusted Zone: *.visionresearch.net
O15 - Trusted Zone: *.vriwayne01.local
O15 - Trusted Zone: *.wellchoicenj.com
O15 - Trusted Zone: *.airborne.com (HKLM)
O15 - Trusted Zone: *.asbnow.com (HKLM)
O15 - Trusted Zone: *.atitech.com (HKLM)
O15 - Trusted Zone: *.beechstreet.com (HKLM)
O15 - Trusted Zone: *.cnn.com (HKLM)
O15 - Trusted Zone: *.dell.com (HKLM)
O15 - Trusted Zone: *.dnb.com (HKLM)
O15 - Trusted Zone: *.federalexpress.com (HKLM)
O15 - Trusted Zone: *.fedex.com (HKLM)
O15 - Trusted Zone: *.hotmail.com (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: *.manulife401k.com (HKLM)
O15 - Trusted Zone: *.mapquest.com (HKLM)
O15 - Trusted Zone: *.msn.com (HKLM)
O15 - Trusted Zone: *.netscape.com (HKLM)
O15 - Trusted Zone: *.nvidia.com (HKLM)
O15 - Trusted Zone: *.nytimes.com (HKLM)
O15 - Trusted Zone: *.passport.net (HKLM)
O15 - Trusted Zone: *.quicken.com (HKLM)
O15 - Trusted Zone: *.shoppinghp.com (HKLM)
O15 - Trusted Zone: *.superpages.com (HKLM)
O15 - Trusted Zone: *.techni-tool.com (HKLM)
O15 - Trusted Zone: *.ups.com (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: *.visionresearch.com (HKLM)
O15 - Trusted Zone: *.visionresearch.net (HKLM)
O15 - Trusted Zone: *.vriwayne01.local (HKLM)
O15 - Trusted Zone: *.wellchoicenj.com (HKLM)
O15 - Trusted IP range: 192.168.10.100
O15 - Trusted IP range: 10.1.2.2
O15 - Trusted IP range: [You must be registered and logged in to see this link.]
O15 - Trusted IP range: 192.168.10.100 (HKLM)
O15 - Trusted IP range: 10.1.2.2 (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vriwayne01.local
O17 - HKLM\Software\..\Telephony: DomainName = vriwayne01.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vriwayne01.local
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Diagnostics - IBM - C:\Program Files\lotus\notes\nsd.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 18224 bytes

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by Belahzur on Thu Aug 20, 2009 12:26 am

Hello.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Thu Aug 20, 2009 2:01 pm

Acrobat.com
Ad-Aware
Ad-Aware
Adobe Acrobat 8 Professional
Adobe After Effects CS3
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Lightroom
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Reader 9.1
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
ALPS Touch Pad Driver
AOL Instant Messenger
Apple Software Update
Bluetooth Stack for Windows by Toshiba
Broadcom Advanced Control Suite 2
Broadcom ASF Management Applications
CardScan 8.0.2
CineForm NEO Player 3.0
Compatibility Pack for the 2007 Office system
Conexant D110 MDC V.9x Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Printer Software Uninstall
Dell Printer Software Uninstall
Digital Line Detect
Easy Resource Planner 2
eDrawings 2006
eDrawings 2007
FaxFinder Client Software
FileZilla Client 3.2.7
Google AdWords Editor
Google Desktop
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
iDisk Utility for Windows
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
Internal Network Card Power Management
IRIDAS SpeedGrade OnSet 2007 NAB Preview
iTunes
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
LiveUpdate 3.1 (Symantec Corporation)
Lotus Notes 8.5
MacDrive 6
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Malwarebytes' Anti-Malware
MB ScheduleIt V4
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Small Business Edition 2003
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
Mozilla Firefox (3.0.13)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
mToolkit
mWlsSafe
mXML
mZConfig
NameBuilder 10
NetWaiting
Phantom 649
Phantom CineView 630
PowerDVD 5.1
QuickSet
QuickTime
Search Assist
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SmartFTP Client
SmartFTP Client 2.0 Setup Files (remove only)
SmartFTP Client 3.0 Setup Files (remove only)
Snapshot Viewer
SolidWorks eDrawings 2009
Sonic DLA
Sonic RecordNow! Plus
Sonic Update Manager
Spybot - Search & Destroy
Symantec AntiVirus
TEMA 2.6-030
tema 3.0-018
tema 3.0-024
Texas Instruments PCIxx21/x515/xx12 drivers.
Transend Migrator
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
URL Assistant
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPN Client
WebEx
Windows Defender
Windows Desktop Search 3.01
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Messenger 5.1
Windows PowerShell(TM) 1.0
Windows PowerShell(TM) 1.0 MUI pack
Windows Presentation Foundation
Windows XP Service Pack 3
WinZip 11.2
XnView 1.90.1
YouSendIt Express

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by Belahzur on Thu Aug 20, 2009 7:25 pm

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Unknown possible malware removal help

Post by LordHelmut on Mon Aug 24, 2009 3:28 pm

No log file was genrated when I ran como-fix /u

the c:\combofix folder seems to have erased its contents as well.

uninstalling the java items took a LONG time.

The laptop seems to be a little faster, more useable, but not perfect either.

I also ordered more ram in hopes that improves speed as well.

The spyware seems to be minimal in this, perhaps it is just a fluke?

LordHelmut
Novice
Novice

Status :
Online
Offline

Posts : 36
Joined : 2009-06-05
OS : Vista
Points : 27420
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum