Jump to content


Photo
- - - - -

Windows Protection Suite virus


  • This topic is locked This topic is locked
23 replies to this topic

#1 Please Help

Please Help

    New Member

  • Members
  • Pip
  • 15 posts

Posted 23 August 2009 - 03:31 PM

Ran anti-malware, it found some infected files which were deleted, but after rebooting they returned. Cannot use Task Manager.

Here is the log from HijackThis, Thanks. :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:21 PM, on 8/23/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Array Networks\Common\8,3,1,84\arr_isrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Array Networks\Array SSL VPN\8,3,1,84\arr_srvs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\OfficeScan\ntrtscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\OfficeScan\tmlisten.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\OfficeScan\OfcPfwSvc.exe
C:\WINNT\TEMP\LI813B.EXE
C:\OfficeScan\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe
C:\Documents and Settings\All Users\Application Data\fead405\WIfead.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirprotection.com
O1 - Hosts: 94.232.248.66 www.antivirprotection.com
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ShutterflyStudio] C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe /trayonly
O4 - HKCU\..\Run: [Windows Protection Suite] "C:\Documents and Settings\All Users\Application Data\fead405\WIfead.exe" /s /d
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmic...DEIIIDJGBHHJDEF (file missing)
O9 - Extra 'Tools' menuitem: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmic...DEIIIDJGBHHJDEF (file missing)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1251040415281
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://connect.ny.i...lhost/arr_x.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Array SSL VPN Service 8,3,1,84 (ArraySSL_VPN_Service8.3.1.84) - Array Networks, Inc. - C:\Program Files\Array Networks\Array SSL VPN\8,3,1,84\arr_srvs.exe
O23 - Service: Array Utility Service 8,3,1,84 (Array_Utility_Service8.3.1.84) - Array Networks, Inc. - C:\Program Files\Array Networks\Common\8,3,1,84\arr_isrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan\OfcPfwSvc.exe
O23 - Service: Domain Migration Administrator Agent (OnePointDomainAdminService) - NetIQ Corporation - C:\Program Files\OnePointDomainAgent\DCTAgentService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan\tmlisten.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 13027 bytes

#2 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 25 August 2009 - 05:00 PM

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

After that, please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.


-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 Please Help

Please Help

    New Member

  • Members
  • Pip
  • 15 posts

Posted 26 August 2009 - 08:03 PM

Hi and thanks for your help.

Update: By fixing one line from the Hijack This, I was able run and delete all the files from MBAM and they did not return after rebooting this time.
Then I got your message about running ComboFix...

So, my last MBAM log contained no infected files:
Malwarebytes' Anti-Malware 1.40
Database version: 2702
Windows 5.0.2195 Service Pack 4

8/26/2009 8:35:06 PM
mbam-log-2009-08-26 (20-35-06).txt

Scan type: Quick Scan
Objects scanned: 95890
Time elapsed: 8 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ComboFix
log:
ComboFix 09-08-26.05 - Administrator 08/26/2009 17:13.1.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.639.390 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Administrator\Application Data\Windows Protection Suite
c:\documents and settings\Administrator\Application Data\Windows Protection Suite\cookies.sqlite
c:\documents and settings\Administrator\Local Settings\Temp\IadHide5.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\WINSPSys
c:\documents and settings\All Users\Application Data\WINSPSys\winps.cfg
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\recycler\S-1-5-21-1004336348-1788223648-725345543-500
c:\recycler\S-1-5-21-1106591827-654009076-425818713-500
c:\recycler\S-1-5-21-1161191959-2006596497-1451377629-500
c:\recycler\S-1-5-21-1851790228-1399273013-1408832246-500
c:\recycler\S-1-5-21-244122443-1089559749-1396666437-500
c:\recycler\S-1-5-21-634664336-1480134410-1310543000-500
c:\recycler\S-1-5-21-797854463-345337248-359742564-500
c:\winnt\system32\UACpyeutowkurgwvbl.dat
c:\winnt\Web\default.htt

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACd.sys
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))
.

2009-08-24 23:53 . 2009-03-30 14:32 97512 ----a-w- c:\winnt\system32\drivers\avipbb.sys
2009-08-24 23:53 . 2009-03-24 20:07 65240 ----a-w- c:\winnt\system32\drivers\avgntflt.sys
2009-08-24 23:53 . 2009-02-13 16:28 18520 ----a-w- c:\winnt\system32\drivers\avgntmgr.sys
2009-08-24 23:53 . 2009-02-13 16:16 64488 ----a-w- c:\winnt\system32\drivers\avgntdd.sys
2009-08-24 23:53 . 2009-08-24 23:53 -------- d-----w- c:\program files\Avira
2009-08-24 23:53 . 2009-08-24 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-24 23:26 . 2009-08-24 23:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-08-24 02:31 . 2009-07-24 13:55 1090816 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-08-24 02:19 . 2009-08-24 02:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-24 01:09 . 2009-08-24 01:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-08-24 00:22 . 2009-08-24 00:22 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-23 20:03 . 2008-10-16 18:06 268648 ----a-w- c:\winnt\system32\mucltui.dll
2009-08-23 02:27 . 2004-07-14 01:12 69632 ------w- c:\winnt\erase_SR.exe
2009-08-23 02:13 . 2009-08-23 02:13 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-12 21:09 . 2009-08-12 21:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC-FAX TX
2009-08-11 20:56 . 2009-04-23 09:05 407552 ----a-w- c:\winnt\system32\mstsc.exe
2009-08-11 20:56 . 2009-06-15 07:23 655872 -c----w- c:\winnt\system32\dllcache\mstscax.dll
2009-08-11 20:56 . 2009-06-15 07:23 655872 ----a-w- c:\winnt\system32\mstscax.dll
2009-08-05 05:04 . 2009-08-05 05:04 90164 -c----w- c:\winnt\system32\dllcache\atl.dll
2009-08-05 05:04 . 2009-08-05 05:04 90164 ----a-w- c:\winnt\system32\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-24 23:38 . 2009-05-22 21:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\avg8
2009-08-24 01:28 . 2009-05-22 21:30 -------- d-----w- c:\program files\AVG
2009-08-24 00:59 . 2004-07-29 09:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-24 00:54 . 2004-07-29 12:20 -------- d-----w- c:\program files\RealVNC
2009-08-23 22:15 . 2009-05-23 00:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-23 19:55 . 2004-07-29 08:51 70520 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 03:53 . 2006-07-29 20:45 -------- d-----w- c:\program files\Trend Micro
2009-08-23 02:16 . 2009-06-01 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 02:13 . 2007-06-20 21:48 30386478 ----a-w- c:\winnt\Internet Logs\tvDebug.zip
2009-08-03 17:36 . 2009-06-01 20:10 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-06-01 20:10 18456 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-07-27 11:27 . 1999-12-06 21:00 81168 ----a-w- c:\winnt\system32\fontsub.dll
2009-07-27 11:27 . 1999-12-06 21:00 165136 ----a-w- c:\winnt\system32\t2embed.dll
2009-07-22 00:30 . 2009-07-22 14:14 1073664 ----a-w- c:\winnt\Internet Logs\xDB4B.tmp
2009-07-13 16:54 . 2009-07-13 16:45 1878984 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-07-13 13:13 . 2004-06-17 21:02 78608 ----a-w- c:\winnt\system32\avifil32.dll
2009-07-13 06:18 . 2004-06-22 18:45 233472 ----a-w- c:\winnt\system32\wmpdxm.dll
2009-07-12 20:13 . 2009-07-12 20:15 6497280 ----a-w- c:\winnt\Internet Logs\xDB4A.tmp
2009-07-12 20:13 . 2009-07-12 20:15 2692608 ----a-w- c:\winnt\Internet Logs\xDB49.tmp
2009-07-12 04:02 . 2009-07-12 04:02 159032 ----a-w- c:\winnt\system32\atl90.dll
2009-07-11 23:41 . 2009-07-11 23:41 97280 ----a-w- c:\winnt\system32\ATL80.dll
2009-07-10 16:49 . 2004-06-07 18:19 601088 ----a-w- c:\winnt\system32\INETCOMM.DLL
2009-07-10 16:49 . 2002-10-11 19:08 47616 ----a-w- c:\winnt\system32\INETRES.DLL
2009-07-10 16:49 . 2003-03-03 20:57 229376 ----a-w- c:\winnt\system32\MSOEACCT.DLL
2009-07-10 16:49 . 2003-03-03 20:57 91136 ----a-w- c:\winnt\system32\MSOERT2.DLL
2009-07-10 16:47 . 2003-03-03 20:57 44032 ----a-w- c:\winnt\system32\MSIDENT.DLL
2009-07-01 01:16 . 2009-07-01 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\3DVIA
2009-06-26 15:53 . 2009-06-26 15:53 576512 ----a-w- c:\winnt\system32\WININET.DLL
2009-06-02 23:23 . 2004-06-22 13:59 1225728 ----a-w- c:\winnt\system32\quartz.dll
2009-06-01 20:23 . 2009-06-01 20:24 5982208 ----a-w- c:\winnt\Internet Logs\xDB48.tmp
2009-06-01 20:23 . 2009-06-01 20:24 24064 ----a-w- c:\winnt\Internet Logs\xDB47.tmp
2009-06-01 20:19 . 2009-06-01 20:20 61440 ----a-w- c:\winnt\Internet Logs\xDB46.tmp
2009-06-01 20:12 . 2009-06-01 20:13 5981696 ----a-w- c:\winnt\Internet Logs\xDB45.tmp
2009-06-01 19:58 . 2009-06-01 19:59 5976064 ----a-w- c:\winnt\Internet Logs\xDB44.tmp
2009-06-01 19:34 . 2009-06-01 19:37 41984 ----a-w- c:\winnt\Internet Logs\xDB42.tmp
2009-06-01 19:34 . 2009-06-01 19:37 5952000 ----a-w- c:\winnt\Internet Logs\xDB43.tmp
2009-06-01 19:30 . 2009-06-01 19:32 5959680 ----a-w- c:\winnt\Internet Logs\xDB41.tmp
2009-06-01 19:24 . 2009-06-01 19:25 51200 ----a-w- c:\winnt\Internet Logs\xDB40.tmp
2009-06-01 19:19 . 2009-06-01 19:21 5947392 ----a-w- c:\winnt\Internet Logs\xDB3F.tmp
2009-06-01 19:03 . 2009-06-01 19:05 311808 ----a-w- c:\winnt\Internet Logs\xDB3E.tmp
2004-06-16 18:52 . 2004-06-16 18:52 21952 ---h--w- c:\program files\folder.htt
2009-05-17 20:25 . 2009-05-17 20:25 0 --sh--r- c:\winnt\FFSSET.BIN
.

------- Sigcheck -------


[-] 2005-03-21 19:13 11264 AB176F2171DB704D51B8809E8A5C38BD c:\winnt\system32\CTFMON.EXE



[-] 2002-11-26 23:03 52224 36678803A8030EE9A771935CFC1848BD c:\winnt\system32\mspmsnsv.dll


c:\winnt\system32\drivers\ip6fw.sys ... is missing !!
c:\winnt\system32\termsrv.dll ... is missing !!
c:\winnt\system32\comres.dll ... is missing !!
c:\winnt\system32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 13:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\winnt\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-08 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ShutterflyStudio"="c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2008-01-12 2500096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2003-10-06 5058560]
"OfficeScanNT Monitor"="c:\officescan\pccntmon.exe" [2006-02-07 356352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-13 282624]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"CitiVAN"="c:\program files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 192512]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2003-10-06 741376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-11-18 241664]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/24/2009 7:53 PM 108289]
R2 Array_Utility_Service8.3.1.84;Array Utility Service 8,3,1,84;c:\program files\Array Networks\Common\8,3,1,84\arr_isrv.exe [9/29/2008 9:01 AM 344139]
R2 ArraySSL_VPN_Service8.3.1.84;Array SSL VPN Service 8,3,1,84;c:\program files\Array Networks\Array SSL VPN\8,3,1,84\arr_srvs.exe [9/29/2008 9:01 AM 192587]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [12/9/2008 12:37 PM 13088]
R2 TmFilter;Trend Micro Filter;c:\officescan\TmFilter.sys [11/9/2005 8:32 PM 252128]
S3 ATP;Array Networks VPN Adapter;c:\winnt\system32\drivers\atpdrvr.sys [9/29/2008 9:01 AM 16896]
S3 OnePointDomainAdminService;Domain Migration Administrator Agent;c:\program files\OnePointDomainAgent\DCTAgentService.exe [4/24/2006 5:01 PM 122880]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS
.
- - - - ORPHANS REMOVED - - - -

Notify-ckpNotify - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmic...DEIIIDJGBHHJDEF
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: turbotax.com
Trusted Zone: webkinz.com\www
TCP: {C19B43F9-0961-495C-8354-95504CAF6F57} = 10.0.26.210
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {B6648EB8-2460-484F-9255-9654454C4C70} - hxxps://connect.ny.itg.com/prx/000/http/localhost/arr_x.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x7dge8is.default\
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 17:36
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(180)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(2024)
c:\winnt\AppPatch\AcLayers.DLL
c:\docume~1\ADMINI~1\LOCALS~1\Temp\IadHide5.dll
c:\winnt\system32\SHDOCVW.DLL
.
Completion time: 2009-08-26 17:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-26 21:55

Pre-Run: 4,354,150,400 bytes free
Post-Run: 6,573,850,624 bytes free

218 --- E O F --- 2009-08-25 21:23


Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:10 PM, on 8/26/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Array Networks\Common\8,3,1,84\arr_isrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Array Networks\Array SSL VPN\8,3,1,84\arr_srvs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\OfficeScan\ntrtscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\OfficeScan\tmlisten.exe
C:\OfficeScan\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\OfficeScan\OfcPfwSvc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\OfficeScan\pccntupd.exe
C:\WINNT\TEMP\ZR806B.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ShutterflyStudio] C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe /trayonly
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmic...DEIIIDJGBHHJDEF (file missing)
O9 - Extra 'Tools' menuitem: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmic...DEIIIDJGBHHJDEF (file missing)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1251040415281
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://connect.ny.i...lhost/arr_x.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Array SSL VPN Service 8,3,1,84 (ArraySSL_VPN_Service8.3.1.84) - Array Networks, Inc. - C:\Program Files\Array Networks\Array SSL VPN\8,3,1,84\arr_srvs.exe
O23 - Service: Array Utility Service 8,3,1,84 (Array_Utility_Service8.3.1.84) - Array Networks, Inc. - C:\Program Files\Array Networks\Common\8,3,1,84\arr_isrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan\OfcPfwSvc.exe
O23 - Service: Domain Migration Administrator Agent (OnePointDomainAdminService) - NetIQ Corporation - C:\Program Files\OnePointDomainAgent\DCTAgentService.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan\tmlisten.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 11573 bytes


Thanks very much again, I really appreciate your help!

#4 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 27 August 2009 - 12:21 AM

Hi,

Before we continue, please go to VirusTotal, and upload the following file for analysis:
c:\winnt\erase_SR.exe
c:\winnt\system32\CTFMON.EXE
c:\winnt\system32\mspmsnsv.dll



Post the results in your reply.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.
  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.


Next, download my Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know what issues remain.

-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 Please Help

Please Help

    New Member

  • Members
  • Pip
  • 15 posts

Posted 27 August 2009 - 07:23 PM

Hi,
Here are the results for the first two VirusTotal analysis, the last one will be in another reply:

c:\winnt\erase_SR.exe

File a01bc613e7f7df8468a2f5ed8db09d9e received on 2009.07.08 16:49:29 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.07.08 -
AhnLab-V3 5.0.0.2 2009.07.08 -
AntiVir 7.9.0.204 2009.07.08 -
Antiy-AVL 2.0.3.1 2009.07.08 -
Authentium 5.1.2.4 2009.07.08 -
Avast 4.8.1335.0 2009.07.07 -
AVG 8.5.0.386 2009.07.08 -
BitDefender 7.2 2009.07.08 -
CAT-QuickHeal 10.00 2009.07.08 -
ClamAV 0.94.1 2009.07.08 -
Comodo 1578 2009.07.08 -
DrWeb 5.0.0.12182 2009.07.08 -
eSafe 7.0.17.0 2009.07.08 -
eTrust-Vet 31.6.6604 2009.07.08 -
F-Prot 4.4.4.56 2009.07.07 -
F-Secure 8.0.14470.0 2009.07.08 -
Fortinet 3.117.0.0 2009.07.03 -
GData 19 2009.07.08 -
Ikarus T3.1.1.64.0 2009.07.08 -
Jiangmin 11.0.706 2009.07.08 -
K7AntiVirus 7.10.787 2009.07.08 -
Kaspersky 7.0.0.125 2009.07.08 -
McAfee 5670 2009.07.08 -
McAfee+Artemis 5670 2009.07.08 -
McAfee-GW-Edition 6.8.5 2009.07.08 -
Microsoft 1.4803 2009.07.08 -
NOD32 4224 2009.07.08 -
Norman 6.01.09 2009.07.08 -
nProtect 2009.1.8.0 2009.07.08 -
Panda 10.0.0.14 2009.07.08 -
PCTools 4.4.2.0 2009.07.08 -
Prevx 3.0 2009.07.08 -
Rising 21.37.24.00 2009.07.08 -
Sophos 4.43.0 2009.07.08 -
Sunbelt 3.2.1858.2 2009.07.08 -
Symantec 1.4.4.12 2009.07.08 -
TheHacker 6.3.4.3.363 2009.07.08 -
TrendMicro 8.950.0.1094 2009.07.08 -
VBA32 3.12.10.7 2009.07.08 -
ViRobot 2009.7.8.1824 2009.07.08 Backdoor.Win32.SdBot.69632.H
VirusBuster 4.6.5.0 2009.07.08 -
Additional information
File size: 69632 bytes
MD5   : a01bc613e7f7df8468a2f5ed8db09d9e
SHA1  : 14c0569f8058449791e8608bf92c868d2afa086e
SHA256: 9d5961d21da2f0b61aea8920a3bf0f07c58d92a2ee1348701e617712b8cbd1a0
PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0x3D8F<br> timedatestamp.....: 0x3B02B772 (Wed May 16 19:22:58 2001)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 3 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x1000 0xA03A 0xB000 6.25 1eb5060072ff3fd978cea87c10687c8b<br>.rdata 0xC000 0x1B0A 0x2000 3.94 7461449c8381ae3f61344f090acc513b<br>.data 0xE000 0x4748 0x3000 1.23 7b351c5c6350c5cb376f727b71776157<br> <br> ( 0 imports )<br> <br> <br> ( 0 exports )<br>
TrID&nbsp;&nbsp;: File type identification<br>Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)
ssdeep: 768:bVmBqhguxKj0DeYy+ymquJfRa/ZA2J4aYd9QfoWfGeoYZom:IqhxKjCBKZATaMQggom
PEiD&nbsp;&nbsp;: Armadillo v1.71
CWSandbox: <a href="http://research.sunb...a2f5ed8db09d9e" target="_blank">http://research.sunb...5ed8db09d9e</a>
RDS&nbsp;&nbsp;&nbsp;: NSRL Reference Data Set<br>-


c:\winnt\system32\CTFMON.EXE

File CTFMON.EXE received on 2009.04.22 05:38:28 (UTC)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.22 -
AhnLab-V3 5.0.0.2 2009.04.22 -
AntiVir 7.9.0.148 2009.04.21 -
Antiy-AVL 2.0.3.1 2009.04.21 -
Authentium 5.1.2.4 2009.04.21 -
Avast 4.8.1335.0 2009.04.21 -
AVG 8.5.0.287 2009.04.21 -
BitDefender 7.2 2009.04.22 -
CAT-QuickHeal 10.00 2009.04.22 -
ClamAV 0.94.1 2009.04.22 -
Comodo 1124 2009.04.21 -
DrWeb 4.44.0.09170 2009.04.22 -
eSafe 7.0.17.0 2009.04.21 -
eTrust-Vet 31.6.6440 2009.04.20 -
F-Prot 4.4.4.56 2009.04.21 -
F-Secure 8.0.14470.0 2009.04.22 -
Fortinet 3.117.0.0 2009.04.22 -
GData 19 2009.04.22 -
Ikarus T3.1.1.49.0 2009.04.22 -
K7AntiVirus 7.10.710 2009.04.21 -
Kaspersky 7.0.0.125 2009.04.22 -
McAfee 5591 2009.04.21 -
McAfee+Artemis 5591 2009.04.21 -
McAfee-GW-Edition 6.7.6 2009.04.22 -
Microsoft 1.4602 2009.04.21 -
NOD32 4026 2009.04.21 -
Norman 6.00.06 2009.04.21 -
nProtect 2009.1.8.0 2009.04.22 -
Panda 10.0.0.14 2009.04.21 -
PCTools 4.4.2.0 2009.04.21 -
Prevx1 V2 2009.04.22 -
Rising 21.26.20.00 2009.04.22 -
Sophos 4.40.0 2009.04.22 -
Sunbelt 3.2.1858.2 2009.04.21 -
Symantec 1.4.4.12 2009.04.22 -
TheHacker 6.3.4.0.312 2009.04.22 -
TrendMicro 8.700.0.1004 2009.04.22 -
VBA32 3.12.10.2 2009.04.21 -
ViRobot 2009.4.22.1703 2009.04.22 -
VirusBuster 4.6.5.0 2009.04.21 -
Additional information
File&nbsp;size: 11264 bytes
MD5&nbsp;&nbsp;&nbsp;: ab176f2171db704d51b8809e8a5c38bd
SHA1&nbsp;&nbsp;: fd3e82bb62bf86e5342ceefee104c9de741f624f
SHA256: 3768c80d11f4e6f017740dc3f47b6ebe84be3e1f9d72bba056b09c342e23dec3
PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0x2176<br> timedatestamp.....: 0x423F46EB (Mon Mar 21 23:12:59 2005)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 3 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x1000 0x1F2A 0x2000 6.92 5ac20db19a0db6fec2a438f49f9c55b1<br>.data 0x3000 0x1C8 0x200 0.88 fc5d6b36ccfaa664ad676ff8ddae26cb<br>.rsrc 0x4000 0x5D0 0x600 3.37 22ff68b90e4c9a61303c57a7cb1198d2<br> <br> ( 0 imports )<br> <br> <br> ( 0 exports )<br>
TrID&nbsp;&nbsp;: File type identification<br>Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 192:V2FGoSzlYWpiqfd/Yq4HED1XT8uGagB5ycdTUgS5yWopW:V2jgt4WXgslc9Uv8WopW
PEiD&nbsp;&nbsp;: -
RDS&nbsp;&nbsp;&nbsp;: NSRL Reference Data Set<br>-

#6 Please Help

Please Help

    New Member

  • Members
  • Pip
  • 15 posts

Posted 27 August 2009 - 07:32 PM

I cannot post the results from the last VirusTotal analysis. After clicking on the <Add Reply> button, I get Method not implemented, POST to /forums/index.php not supported
Here is the link to the results for c:\winnt\system32\mspmsnsv.dll:

http://www.virustota...8bef-1250643399

#7 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 27 August 2009 - 09:04 PM

Rename c:\winnt\erase_SR.exe to erase_SR.old

If in time you find nothing amiss, delete it entirely.


Proceed with the F-Secure scan.

-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#8 Please Help

Please Help

    New Member

  • Members
  • Pip
  • 15 posts

Posted 28 August 2009 - 07:23 PM

Hi,
I renamed the erase_SR file as instructed.
Here is my report from the F-secure scan:

7 malware found
TrackingCookie.2o7 (spyware)
System (Disinfected)
TrackingCookie.Atdmt (spyware)
System (Disinfected)
TrackingCookie.Doubleclick (spyware)
System (Disinfected)
TrackingCookie.Mediaplex (spyware)
System (Disinfected)
TrackingCookie.Statcounter (spyware)
System (Disinfected)
TrackingCookie.Atwola (spyware)
System (Disinfected)
TrackingCookie.Imrworldwide (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 49565
System: 3271
Not scanned: 8
Actions:
Disinfected: 7
Renamed: 0
Deleted: 0
Not cleaned: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINNT\SYSTEM32\CONFIG\DEFAULT
C:\WINNT\SYSTEM32\CONFIG\SAM
C:\WINNT\SYSTEM32\CONFIG\SECURITY
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE
C:\WINNT\SYSTEM32\CONFIG\SYSTEM
C:\OFFICESCAN\SUSPECT\MWSOEMON.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\ETILQS_HHRNNGNS791ZXZSB8S5P

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

#9 Please Help

Please Help

    New Member

  • Members
  • Pip
  • 15 posts

Posted 28 August 2009 - 07:51 PM

Security Check report:

Results of screen317's Security Check version 0.98.9
Windows 2000 Service Pack 4
``````````````````````````````
Antivirus/Firewall Check:

Avira AntiVir Personal - Free Antivirus
Trend Micro OfficeScan Client

ZoneAlarm
ZoneAlarm Spy Blocker

Avira updated!
``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
ZoneAlarm Spy Blocker
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Adobe Flash Player 10
Adobe Reader 7.0.9
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!


``````````````````````````````
DNS Vulnerability Check:

[color]nslookup.exe missing![/color]
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````


Remaining issue:
I cannot rename a folder in my C: drive. If I try to rename an existing folder or create a new one and name it, I get an "Error renaming File or Folder"
Error reads:
Cannot rename New Folder: There has been a sharing violation.
The source or destination file may be in use.

Any suggestions? Thanks.

#10 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 29 August 2009 - 07:42 PM

Hi,

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):


Adobe Reader 7.0.9


Restart your computer.

Get the latest version of Adobe Reader.


Remaining issue:
I cannot rename a folder in my C: drive. If I try to rename an existing folder or create a new one and name it, I get an "Error renaming File or Folder"
Error reads:
Cannot rename New Folder: There has been a sharing violation.
The source or destination file may be in use.

Any suggestions? Thanks.

Give this a try:

Go to Task Manager, and kill this task:

explorer.exe

Back in Task Manager, start a New Task, and type this in:

explorer.exe

Press Enter (your Desktop should return now), and see if you still can't rename folders.

-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#11 Please Help

Please Help

    New Member

  • Members
  • Pip
  • 15 posts

Posted 30 August 2009 - 08:15 PM

Hi,
Just a quick question before I uninstall ComboFix. Can I leave Combofix on my machine and run it periodically so it can find and get rid of other bad files?
Thanks.

#12 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 01 September 2009 - 03:36 AM

The short answer: no.

ComboFix is a very dangerous tool when used unsupervised and is not meant to be run periodically as MBAM is.

Plus, it would go out of date so quickly that your copy would quickly become obsolete.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#13 Please Help

Please Help

    New Member

  • Members
  • Pip
  • 15 posts

Posted 01 September 2009 - 08:09 PM

Thanks for the info about Combofix. I uninstalled Combofix and deleted SecurityCheck and got the latest version of Adobe Reader.
I deleted explorer.exe from task manager and started a new task. I still cannot rename folders in my C:, same error message.
Also, even though I uninstalled Combofix, I still see a Combofix folder in my c:, should I delete that too?
Thanks.

#14 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 01 September 2009 - 09:47 PM

Yes delete that folder.


Wait-- are you able to delete it?? Or does the same error get thrown up?
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#15 Please Help

Please Help

    New Member

  • Members
  • Pip
  • 15 posts

Posted 02 September 2009 - 01:31 PM

Hi,
I was able to delete the Combofix folder with no error messages.
Thanks.

#16 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 03 September 2009 - 03:27 AM

Try Unlocking the folders and see if you are able to manipulate them now.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#17 Please Help

Please Help

    New Member

  • Members
  • Pip
  • 15 posts

Posted 03 September 2009 - 05:28 PM

It worked! I had to choose a file that was connected to my c: only and not connected to any of the subdirectories in my c:
I tested it, and now I am able to name and rename folders again!
Thanks very much!

#18 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 03 September 2009 - 10:38 PM

Great! ;)

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!


Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?




Safe surfing,

-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#19 Please Help

Please Help

    New Member

  • Members
  • Pip
  • 15 posts

Posted 04 September 2009 - 10:29 AM

One other thing... the problem seems to have returned.
I turned on my computer today and tried again to rename the folder in c: and it did not work this time, even after using Unlocker again.
I even Unlocked all which rebooted my computer and it didn't work. Then I tried to just unlock certain paths and it did not seem to work either, because they were still listed in the Unlocker window. Any other suggestions??
Thanks.

#20 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 05 September 2009 - 01:00 AM

Did you try to do exactly as you did before?

It worked! I had to choose a file that was connected to my c: only and not connected to any of the subdirectories in my c:
I tested it, and now I am able to name and rename folders again!
Thanks very much!



Do you need to be renaming folders on in the root of your C drive?
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users