Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware Disabling A/v?


  • Please log in to reply
30 replies to this topic

#1 LynnBR

LynnBR

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:32 PM

Posted 22 July 2008 - 07:23 PM

I've found many solutions on your site, hoping for this one too. User received "antivirus found" warning late last week. Clicking on "view scan results" doesn't bring up scan, cannot run A/V scan of hard drive. Some benign functions of A/V work but not anything productive. Have not been informed of anything else misbehaving on this system. Ran MBAM latest version quick scan, came back clean. Here's what I've got so far, following your posting instructions (with a little oops and re-do along the way).

Deckard's System Scanner v20071014.68
Run by lynn on 2008-07-22 16:51:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
18: 2008-07-22 23:51:20 UTC - RP326 - Deckard's System Scanner Restore Point
17: 2008-07-22 23:36:21 UTC - RP325 - Installed Java™ 6 Update 7
16: 2008-07-22 23:11:25 UTC - RP324 - Deckard's System Scanner Restore Point
15: 2008-07-22 01:45:31 UTC - RP323 - Removed Command AntiVirus for Windows Enterprise
14: 2008-07-22 01:22:59 UTC - RP322 - Restore Operation


-- First Restore Point --
1: 2008-04-25 22:37:32 UTC - RP309 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as lynn.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:24 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Authentium\AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\timberline office\shared\sage.servicehost.host.exe
C:\Program Files\Authentium\AntiVirus\schscnt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe
C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
C:\Documents and Settings\Lynn.HACI0\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\lynn.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe
O4 - HKLM\..\Run: [cuagent] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe /v
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OpAgent] "C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe" /agent
O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Reminder.lnk = CheckIn\Chklogin.exe
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1207009103532
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1207009076414
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = haci0.local
O17 - HKLM\Software\..\Telephony: DomainName = haci0.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = haci0.local
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sage Service Host v1.0 (Sage.ServiceHost.Host.1.0) - Sage Software, Inc. - c:\program files\timberline office\shared\sage.servicehost.host.exe
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\schscnt.exe

--
End of file - 7054 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Sage.ServiceHost.Host.1.0 (Sage Service Host v1.0) - c:\program files\timberline office\shared\sage.servicehost.host.exe <Not Verified; Sage Software, Inc.; Data>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 592)
2006-02-03 01:23:12 135168 --a------ C:\Program Files\ScanSoft\OmniPage15.0\OpHook15.dll <Not Verified; ScanSoft, Inc.; OmniPage Pro>


-- Scheduled Tasks -------------------------------------------------------------

2008-07-21 18:48:15 344 --a------ C:\WINDOWS\Tasks\StartSetup.job
2006-05-09 09:17:28 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2008-06-22 and 2008-07-22 -----------------------------

2008-07-22 16:49:53 0 d-------- P:\Deckard
2008-07-21 18:47:55 0 d-------- C:\Program Files\Common Files\Authentium
2008-07-21 18:47:55 0 d-------- C:\Program Files\Authentium
2008-07-21 18:36:23 0 d-------- C:\Documents and Settings\Lynn.HACI0\Application Data\Command Software
2008-07-21 18:31:38 0 d-------- C:\Documents and Settings\Lynn.HACI0\Application Data\Timberline
2008-07-21 18:31:17 0 d-------- C:\Program Files\Trend Micro
2008-07-21 17:19:02 0 d-------- C:\Documents and Settings\Lynn.HACI0\Application Data\Malwarebytes
2008-07-21 17:18:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 17:18:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Favorites
2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Application Data
2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Application Data\Microsoft
2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Application Data\Gtek
2008-07-08 12:54:21 0 d-------- C:\Documents and Settings\lr\Templates
2008-07-08 12:54:21 786432 --ah----- C:\Documents and Settings\lr\NTUSER.DAT
2008-07-08 12:54:21 0 d-------- C:\Documents and Settings\lr\My Documents
2008-07-08 12:54:21 0 d-------- C:\Documents and Settings\lr\Local Settings
2008-07-08 07:42:19 1236992 --a------ C:\Documents and Settings\nikki\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-22 16:41:20 0 d-------- C:\Program Files\Java
2008-07-21 18:47:55 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 07:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 07:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 07:50 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 10:20 PM C:\WINDOWS\stsystra.exe]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [09/08/2005 06:20 PM]
"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe" [09/08/2005 06:20 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 04:20 AM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [09/30/2003 12:14 AM]
"Opware15"="C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe" [02/03/2006 01:23 AM]
"OpScheduler"="C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"CSAV_CheckViruses"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe" [06/01/2008 04:56 PM]
"cuagent"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe" [06/01/2008 04:55 PM]
"avtray"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe" [06/01/2008 04:55 PM]
"dvprpt"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe" [06/01/2008 04:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
"OpAgent"="C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe" [02/03/2006 01:24 AM]
"SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [11/08/2001 10:37 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\Bin\w3dbsmgr.exe [5/9/2006 10:52:02 AM]
Reminder.lnk - G:\CheckIn\Chklogin.exe [3/12/2006 7:44:39 PM]
Start Network Scanner Tool.lnk - C:\Program Files\Sharp\Sharpdesk\sdFTP.exe [8/2/2006 3:17:53 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
"C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER




-- End of Deckard's System Scanner: finished at 2008-07-22 16:52:21 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 33%
Physical Memory (total/avail): 1014.07 MiB / 676.12 MiB
Pagefile Memory (total/avail): 2441.27 MiB / 2219.43 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.35 MiB

C: is Fixed (NTFS) - 70.9 GiB total, 56.59 GiB free.
D: is CDROM (CDFS)
G: is Network (NTFS)
K: is Network (NTFS)
N: is Network (NTFS)
P: is Network (NTFS)
Q: is Network (NTFS)
S: is Network (NTFS)
T: is Network (NTFS)
U: is Network (NTFS)

\\.\PHYSICALDRIVE0 - WDC WD800JD-75MSA1 - 74.5 GiB - 3 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 70.9 GiB - C:
\PARTITION2 - Unknown - 3.57 GiB



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
UpdatesDisableNotify is set.

AV: Command AntiVirus for Windows Enterprise v73334786 (Authentium, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\PVSW\\Bin\\w3dbsmgr.exe"="C:\\PVSW\\Bin\\w3dbsmgr.exe:*:Enabled:Database Service Manager"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\Sharp\\Sharpdesk\\sdFTP.exe"="C:\\Program Files\\Sharp\\Sharpdesk\\sdFTP.exe:*:Enabled:sdFTP"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\PVSW\\Bin\\w3dbsmgr.exe"="C:\\PVSW\\Bin\\w3dbsmgr.exe:*:Enabled:Database Service Manager"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Lynn.HACI0\Application Data
CLASSPATH=C:\PVSW\BIN\PVJDBC2X.JAR;C:\PVSW\BIN\PVJDBC2.JAR
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SM2
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=P:
HOMEPATH=\
HOMESHARE=\\hal\lynn$
LOGONSERVER=\\HAL
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Timberline Office\Shared\;C:\Program Files\Timberline Office\Shared;C:\PVSW\BIN;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Common Files\Crystal Decisions\2.0\bin;C:\Program Files\Common Files\Crystal Decisions\2.5\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
Shared_Path=C:\Program Files\Timberline Office\Shared\
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\LYNN~1.HAC\LOCALS~1\Temp
TMP=C:\DOCUME~1\LYNN~1.HAC\LOCALS~1\Temp
USERDNSDOMAIN=HACI0.LOCAL
USERDOMAIN=HACI0
USERNAME=lynn
USERPROFILE=C:\Documents and Settings\Lynn.HACI0
VSL=C:\PVSW\BIN
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

amy
sherri
kathy
nikki
Lynn.HACI0 (admin)
cas
judi (new local, net ready)
jayme
shannon
lorid
tanya
jessica
reception
juanita
donelle
Lynn (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Accounting Client --> MsiExec.exe /X{165A57F4-5078-4769-A645-1399FABD35BD}
Acowin 4.15 --> MsiExec.exe /I{25A57BE0-9A82-4ACE-8ABB-B766024F5EDD}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Corel Photo Album 6 --> MsiExec.exe /X{8A9B8148-DDD7-448F-BD6C-358386D32354}
Crystal Runtime --> MsiExec.exe /I{880E72CC-AD34-4CD0-947A-2CEB1DEDF322}
CrystalPatch --> MsiExec.exe /I{4DD0C9EE-0342-461A-9354-47F44860F651}
Dell CinePlayer --> MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Support 3.1 --> MsiExec.exe /X{548EEA8E-8299-497F-8057-811D2D7097DC}
DESI Labeling System --> C:\PROGRA~1\DESI\UNWISE.EXE C:\PROGRA~1\DESI\INSTALL.LOG
Digital Content Portal --> MsiExec.exe /I{B702CCCE-3176-4DBF-B932-D1B8F402F330}
FileMaker Pro 5.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\FileMaker\FileMaker Pro 5\System\DeIsL1.isu"
getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
MCU --> MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Small Business Accounting 2006 --> MsiExec.exe /X{F413D795-B077-4A96-AE75-810BBA673A0E}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
Pervasive System Analyzer --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Common Files\Pervasive Software Shared\PSA\psa.isu"
Pervasive.SQL Workgroup v8.10 --> C:\WINDOWS\IsUninst.exe -fC:\PVSW\DeIsL1.isu -a -c"C:\PVSW\W32PTKUN.DLL" -mpsql.mif -ppWKGRP
Qualxserve Service Agreement --> MsiExec.exe /X{0F756CD9-4A1E-409B-B101-601DDC4C03AA}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
SBA --> MsiExec.exe /I{20F51690-133A-453C-B616-1C15AB2C0EF0}
ScanSoft OmniPage 15.0 --> MsiExec.exe /I{E9DCA3A9-7478-427C-9E98-765D980EF053}
Search Assist --> MsiExec.exe /X{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sharpdesk --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Sharp\Sharpdesk\Uninst.isu" -c"C:\Program Files\Sharp\Sharpdesk\uninst.dll"
Sonic Activation Module --> MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
URL Assistant --> regsvr32 /u /s "c:\Program Files\BAE\BAE.dll"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"


-- Application Event Log -------------------------------------------------------

Event Record #/Type10604 / Warning
Event Submitted/Written: 07/22/2008 04:42:48 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Event Record #/Type10603 / Warning
Event Submitted/Written: 07/22/2008 04:42:48 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Event Record #/Type10598 / Warning
Event Submitted/Written: 07/22/2008 04:23:24 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Event Record #/Type10597 / Warning
Event Submitted/Written: 07/22/2008 04:23:24 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Event Record #/Type10592 / Warning
Event Submitted/Written: 07/22/2008 04:10:09 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, RegProv, has been registered in the WMI namespace, root\Authentium, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type22384 / Error
Event Submitted/Written: 07/22/2008 04:12:32 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The avinitnt service terminated unexpectedly. It has done this 2 time(s).

Event Record #/Type22383 / Error
Event Submitted/Written: 07/22/2008 04:12:29 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The dvpapi service terminated unexpectedly. It has done this 2 time(s).

Event Record #/Type22337 / Error
Event Submitted/Written: 07/21/2008 06:51:52 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The avinitnt service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type22336 / Error
Event Submitted/Written: 07/21/2008 06:51:50 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The dvpapi service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type22291 / Error
Event Submitted/Written: 07/21/2008 06:43:12 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-07-22 16:52:21 ------------

Kaspersky run was done last night. The N drive findings are of particular concern, I'll have to investigate those separately.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 22, 2008 00:34:14
Records in database: 982552
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
G:\
K:\
N:\
P:\
Q:\
S:\
T:\
U:\

Scan statistics:
Files scanned: 144359
Threat name: 8
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 03:18:12


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\quarantine\file[1].jpg.Quarantined Infected: Exploit.Win32.IMG-ANI.h 1
C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\quarantine\slide712[1].htm.Quarantined Infected: Trojan-Downloader.JS.Agent.eg 1
C:\Documents and Settings\jayme\Application Data\Sun\Java\Deployment\cache\6.0\33\54407b61-639f766b Infected: Trojan.Java.ClassLoader.ao 3
C:\RECYCLER\S-1-5-21-4042160745-1055448698-3759889225-1007\Dc1112\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv712.jar-2e5cce94-2429bcd5.zip Infected: Trojan-Downloader.Java.OpenStream.c 1
C:\RECYCLER\S-1-5-21-4042160745-1055448698-3759889225-1007\Dc1112\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv712.jar-2e5cce94-2429bcd5.zip Infected: Trojan.Java.ClassLoader.h 1
C:\RECYCLER\S-1-5-21-4042160745-1055448698-3759889225-1007\Dc1112\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv712.jar-2e5cce94-2429bcd5.zip Infected: Trojan.Java.ClassLoader.d 1
G:\DOWNLOAD\Utilities\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
N:\ACCSoft\AC.exe Infected: Email-Worm.Win32.Magistr.b.corrupted 1
N:\ACCSoft\DBEdit.exe Infected: Email-Worm.Win32.Magistr.b.corrupted 1
N:\ACCSoft\SiteSetup.exe Infected: Email-Worm.Win32.Magistr.b.corrupted 1

The selected area was scanned.

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:32 PM

Posted 07 August 2008 - 12:44 PM

Hi and welcome,

Sorry for the delay. We have been backlogged.

If you still need help please do the following:

Enable system to show hidden files. How to:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/
don't forget to hide files/folders when we are finished cleaning.

Locate & delete: (if present)

C:\Documents and Settings\jayme\Application Data\Sun\Java\Deployment\cache\6.0\33\54407b61-639f766b

G:\DOWNLOAD\Utilities\SmitfraudFix.exe <-- this is not malware but the tool is updated too often to keep it around.

I'd like to rule out false positive on those files on N drive.
Scan these 3:

N:\ACCSoft\AC.exe
N:\ACCSoft\DBEdit.exe
N:\ACCSoft\SiteSetup.exe

At this site & post results:

http://www.virustotal.com/en/indexf.html

Next:

Please be logged into the "Lynn" account then...
Click start> run> type:

"%userprofile%\desktop\dss.exe" /config

Hit OK> hit "scan" & post results of both logs here.

----------------------------

My additional questions:

With the possible exception of "Judi" are they all local accounts or do the users have to log onto the machine from elsewhere? The "Judi" account looks like she would log into the machine from elsewhere. Correct?
Reason I ask is because those kind of logins are dealt with a bit different in terms of cleanup than local logins.

The N drive --
Is it Data storage only? What was on that drive before?
I just find it odd that seems to be the only one affected with "Email-Worm.Win32.Magistr.b.corrupted" which is a damaged varient of:
http://www.trendmicro.com/vinfo/virusencyc...2EB&VSect=T


Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:32 PM

Posted 07 August 2008 - 05:18 PM

Blender,
Thanks for getting to me. Will be about an hour before I can run DSS on system again but have started on other activities and can answer your questions now.

Deleted smitfraudfix.

Ran 3 files on N drive through VirusTotal. N is a mapped drive to accounting software on our server. I may be dense but couldn't figure out how to save the scan results other than copy/paste, so did that into a txt document which I have attached. There was an awful lot of text in the report, didn't want to fill up this space with all that, so attached instead. Hope that is not a problem. Can repost inline if you'd like.

Judi was a local account. No users should be logging into this machine from elsewhere. This is receptionist computer; when other employees need to cover phones/front desk they log in and work from here.
Thanks,
Lynn

Attached Files



#4 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:32 PM

Posted 07 August 2008 - 06:18 PM

Deleted file from D&S\jayme.
Here's main.txt log from DSS. did not get second log. Let me know if I need to re-run with different switches.

Deckard's System Scanner v20071014.68
Run by lynn on 2008-08-07 16:12:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as lynn.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:42 PM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Authentium\AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\timberline office\shared\sage.servicehost.host.exe
C:\Program Files\Authentium\AntiVirus\schscnt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe
C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Lynn.HACI0\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\lynn.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe
O4 - HKLM\..\Run: [cuagent] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe /v
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OpAgent] "C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe" /agent
O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Reminder.lnk = CheckIn\Chklogin.exe
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1207009103532
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1207009076414
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = haci0.local
O17 - HKLM\Software\..\Telephony: DomainName = haci0.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = haci0.local
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sage Service Host v1.0 (Sage.ServiceHost.Host.1.0) - Sage Software, Inc. - c:\program files\timberline office\shared\sage.servicehost.host.exe
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\schscnt.exe

--
End of file - 7142 bytes

-- Files created between 2008-07-07 and 2008-08-07 -----------------------------

2008-07-22 16:49:53 0 d-------- P:\Deckard
2008-07-21 18:47:55 0 d-------- C:\Program Files\Common Files\Authentium
2008-07-21 18:47:55 0 d-------- C:\Program Files\Authentium
2008-07-21 18:36:23 0 d-------- C:\Documents and Settings\Lynn.HACI0\Application Data\Command Software
2008-07-21 18:31:38 0 d-------- C:\Documents and Settings\Lynn.HACI0\Application Data\Timberline
2008-07-21 18:31:17 0 d-------- C:\Program Files\Trend Micro
2008-07-21 17:19:02 0 d-------- C:\Documents and Settings\Lynn.HACI0\Application Data\Malwarebytes
2008-07-21 17:18:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 17:18:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Favorites
2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Application Data
2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Application Data\Microsoft
2008-07-08 12:54:22 0 d-------- C:\Documents and Settings\lr\Application Data\Gtek
2008-07-08 12:54:21 0 d-------- C:\Documents and Settings\lr\Templates
2008-07-08 12:54:21 786432 --ah----- C:\Documents and Settings\lr\NTUSER.DAT
2008-07-08 12:54:21 0 d-------- C:\Documents and Settings\lr\My Documents
2008-07-08 12:54:21 0 d-------- C:\Documents and Settings\lr\Local Settings
2008-07-08 07:42:19 1236992 --a------ C:\Documents and Settings\nikki\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-22 16:41:20 0 d-------- C:\Program Files\Java
2008-07-21 18:47:55 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 07:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 07:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 07:50 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 10:20 PM C:\WINDOWS\stsystra.exe]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [09/08/2005 06:20 PM]
"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe" [09/08/2005 06:20 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 04:20 AM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [09/30/2003 12:14 AM]
"Opware15"="C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe" [02/03/2006 01:23 AM]
"OpScheduler"="C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"CSAV_CheckViruses"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe" [06/01/2008 04:56 PM]
"cuagent"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe" [06/01/2008 04:55 PM]
"avtray"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe" [06/01/2008 04:55 PM]
"dvprpt"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe" [06/01/2008 04:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
"OpAgent"="C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe" [02/03/2006 01:24 AM]
"SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [11/08/2001 10:37 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\Bin\w3dbsmgr.exe [5/9/2006 10:52:02 AM]
Reminder.lnk - G:\CheckIn\Chklogin.exe [3/12/2006 7:44:39 PM]
Start Network Scanner Tool.lnk - C:\Program Files\Sharp\Sharpdesk\sdFTP.exe [8/2/2006 3:17:53 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
"C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER




-- End of Deckard's System Scanner: finished at 2008-08-07 16:13:17 ------------


Thanks again,
Lynn

#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:32 PM

Posted 08 August 2008 - 12:46 PM

Hi,

Thanks for the logs. Attaching the txt file of virustotal results is fine.

Those 3 files you can delete from the N drive.

Sorry about the dss scan -- I forgot to have you "check all" at the config window. :thumbsup:
However -- since you have several accounts on the machine I would like to have a look at those too in case something strange is being started from a different user account.

See, when you have several user accounts -- each user has their own desktop, settings and so on. So it is much like having 17 different computers to check.
We'll use a different program for checking...
If anything is found in this log we can use an admin level account to fix everyone rather than having to log into each account seperately.

Since we have been working from the "Lynn" account -- I would preferr to keep working from there if possible.
This will save confusion if we have to fix anything.

download OTScanIT.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIT on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIT folder and double-click on OTScanIT.exe to start the program
  • At the top checkmark "Scan all users"
  • In the Drivers section click on Non-Microsoft.
  • In the rootkit section click on yes
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    You can close this log file.
Please zip up & attach the file "OTScanIT.txt" in your next reply as it will be way too long to copy/paste log here.
I ask for it zipped because we are limited in how much attachment space we have so zipping large logs will save space.
Don't forget to re-enable antivirus.


While waiting for me to get back -- I highly advise uninstalling older versions of Java.
Old Java versions are exploitable.
Go to add/remove programs and uninstall All versions of Java and J2RE except Java™ 6 Update 7

Reboot when done.

Keep in mind when installing new Java versions the installer does not remove the old.
Having old versions can allow malicious sites to "call up" old Java installs to carry out their exploits.

I also advise uninstalling Acrobat Reader 8 & installing the new version.
Your version is exploitable.
New version here:
http://www.adobe.com/products/acrobat/readstep2.html

UNcheck google toolbar before installing Reader if you don't want it.

As with Java -- Adobe installer does not check for & uninstall old versions either.

Thanks :)

ps.
If no reply back from me in say 24 hours --- please shoot me a PM.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:32 PM

Posted 08 August 2008 - 02:16 PM

Here's the log. I'll work on the Java and Adobe items. It's also Friday afternoon, I have to leave early, and since I hope to avoid the office this weekend, I won't bug you unless it's well over 48 hours before I hear back from you.

As for the 3 files on N drive, I need to see what they are. Can't just go deleting files from the accounting software now, can we?

Thanks again!
Lynn

Attached Files



#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:32 PM

Posted 09 August 2008 - 05:46 PM

Hi,

Thanks for the log.
I am looking at it now & will reply back shortly with recommendations.

As for those 3 files on the N drive -- if they were in fact legit part of your accounting software -- I highly suggest replacing them with backups.
What is the date created/modified compared to other files in that directory?
I hate to see that thing get executed...
I don't think it can execute properly as the scanners from VT seem to indicate a damaged virus but --
This virus can do alot of damage.

http://www.trendmicro.com/vinfo/virusencyc...2EB&VSect=T

You may also want to upload copies to your AV company & have them check it out. Possible the virus portion can be removed and leave file itself intact if you don't have backups.
Your AV may have an option to upload suspicious files?

Anyhoo -- be back shortly. :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:32 PM

Posted 09 August 2008 - 06:20 PM

Me again..

When you log into your account (Lynn) do things seem to load normal?
Meaning you can access your documents, favorites, desktop items, and so on? Everything seem intact there?

Reason I ask is because it seems many items on the Lynn account seem to be hidden.
Or have you used the "make my files/folders private" feature?

If it loads normally -- we won't mess with it. Just curious at this point.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:32 PM

Posted 11 August 2008 - 11:34 AM

I am checking with Acctg software vendor to see if those files are needed and what their recommendation is for replacing them. From modified date and other info I'm guessing they're for a module we don't have licenses to (which could also explain why it has not been an issue yet, we don't run those files).

"Make my files/folders private" option is not available as we use NTFS permissions through security tab. It is possible that I have my stuff private as I wear many hats around here and keep my stuff as inaccessible as possible for HIPAA and other reasons. However, everything does load and run fine for me, with the exception of MS Office which uninstalled itself for me only one time when I ran a "cleaner" utility. I found and used a fix, had it working, then did system restore while working on this issue and haven't yet reapplied the fix.

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:32 PM

Posted 12 August 2008 - 10:11 PM

Hello,

Any chance you can send Acctg company zipped up copies of those files so they can verify they belong to that app?

As for the hidden documents and so on --
If everything works OK then we won't mess with it.
Likely permissions security you have set on those directories.

Before we 'fix' anything --- can you post a new hijackthis log please?
I did ask you to update Java & Acrobat reader. I just want to confirm the google toolbar is still not present before I bother removing those remnants.
If google is there -- we'll leave the google stuff alone. :thumbsup:

Is your AV still being disabled?
Have you tried completly uninstalling it & re-installing?

Thanks :)
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:32 PM

Posted 13 August 2008 - 06:41 PM

Blender,
Yes, A/V is still disabled. I did a complete uninstall (including registry edit per vendor's instructions)and reinstall long before I did original post, didn't fix problem. Also did System Restore to time prior to this problem arising.

Those 3 files were part of the acctg software but were apparently from an older implementation of a module; those files are no longer in use by acctg software and have been deleted and recycle bin emptied.

There is no google toolbar in use on this system that I can tell; if there is, they can live without it. System probably came with toolbar and desktop preinstalled, which I promptly told to take a hike.

Here's the latest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:25 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Authentium\AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\timberline office\shared\sage.servicehost.host.exe
C:\Program Files\Authentium\AntiVirus\schscnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe
C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe"
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe
O4 - HKLM\..\Run: [cuagent] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe /v
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OpAgent] "C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe" /agent
O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKUS\S-1-5-21-4024902727-2201102040-335047296-1250\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'donelle')
O4 - HKUS\S-1-5-21-4024902727-2201102040-335047296-1250\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'donelle')
O4 - HKUS\S-1-5-21-4024902727-2201102040-335047296-1250\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'donelle')
O4 - HKUS\S-1-5-21-4024902727-2201102040-335047296-1250\..\Run: [DellSupport-] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'donelle')
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Reminder.lnk = CheckIn\Chklogin.exe
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1207009103532
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1207009076414
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = haci0.local
O17 - HKLM\Software\..\Telephony: DomainName = haci0.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = haci0.local
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sage Service Host v1.0 (Sage.ServiceHost.Host.1.0) - Sage Software, Inc. - c:\program files\timberline office\shared\sage.servicehost.host.exe
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\schscnt.exe

--
End of file - 7624 bytes

Thanks again!

#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:32 PM

Posted 14 August 2008 - 03:33 PM

Hi,

Thanks for the info.

Let's go ahead & remove the google leftovers and I'll ask for another log to look at.
Double click OTScanIt.exe to run it.

Copy the following text inside the code box and paste it into the green "paste fix here" box:

[Registry - Non-Microsoft Only]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1137\] > -> HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1137\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1250\] > -> HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1250\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YN -> &Google Search -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> &Translate English Word -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> Backward Links -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> Cached Snapshot of Page -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> Similar Pages -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> Translate Page into English -> %ProgramFiles%\Google\GoogleToolbar1.dll
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1137\] > -> HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1137\Software\Microsoft\Internet Explorer\MenuExt\
YN -> &Google Search -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> &Translate English Word -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> Backward Links -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> Cached Snapshot of Page -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> Similar Pages -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> Translate Page into English -> %ProgramFiles%\Google\GoogleToolbar1.dll
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1250\] > -> HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1250\Software\Microsoft\Internet Explorer\MenuExt\
YN -> &Google Search -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> &Translate English Word -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> Backward Links -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> Cached Snapshot of Page -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> Similar Pages -> %ProgramFiles%\Google\GoogleToolbar1.dll
YN -> Translate Page into English -> %ProgramFiles%\Google\GoogleToolbar1.dll

Then close other running applications and click the green "Run Fix" button.
The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If you need to reboot, the log file will be placed in the MovedFiles folder in the folder that OTScanIT is running from. It will have a .log extension and a name in the format of mmddyyyy_hhmmss.log. Once you reboot, locate that file, open it with Notepad (not Write or any other text program) and post the contents back here.

Next:

Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it to its own folder.
Disconnect from internet (if possible) & shut down Antivirus to prevent conflicts.
Shut down also any other unneeded apps including any open browser windows.
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may get a warning at program start that there is possible rootkit activity and do you want to run scan.

Say OK to run scan.
If no warning, just click "scan".
Let the scan finish.
Once done press "save"
In the new window that pops up, give the log a name and save it someplace handy.
Press save.

Re-enable your antivirus, re-connect to internet & post that log here

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#13 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:32 PM

Posted 14 August 2008 - 07:46 PM

Alrighty, here are your logs:

[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1137\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry key HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1250\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Google Search\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Translate English Word\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Backward Links\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Cached Snapshot of Page\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Similar Pages\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Translate Page into English\ deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}\ not found.
Registry key HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1137\Software\Microsoft\Internet Explorer\MenuExt\&Google Search\ not found.
Registry key HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1137\Software\Microsoft\Internet Explorer\MenuExt\&Translate English Word\ not found.
Registry key HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1137\Software\Microsoft\Internet Explorer\MenuExt\Backward Links\ not found.
Registry key HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1137\Software\Microsoft\Internet Explorer\MenuExt\Cached Snapshot of Page\ not found.
Registry key HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1137\Software\Microsoft\Internet Explorer\MenuExt\Similar Pages\ not found.
Registry key HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1137\Software\Microsoft\Internet Explorer\MenuExt\Translate Page into English\ not found.
Registry key HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1250\Software\Microsoft\Internet Explorer\MenuExt\&Google Search\ not found.
Registry key HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1250\Software\Microsoft\Internet Explorer\MenuExt\&Translate English Word\ not found.
Registry key HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1250\Software\Microsoft\Internet Explorer\MenuExt\Backward Links\ not found.
Registry key HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1250\Software\Microsoft\Internet Explorer\MenuExt\Cached Snapshot of Page\ not found.
Registry key HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1250\Software\Microsoft\Internet Explorer\MenuExt\Similar Pages\ not found.
Registry key HKEY_USERS\S-1-5-21-4024902727-2201102040-335047296-1250\Software\Microsoft\Internet Explorer\MenuExt\Translate Page into English\ not found.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 08142008_171154

and

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-14 17:41:26
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

Code 85EFB8F0 ZwDuplicateObject
Code 862C8C88 ZwSetInformationFile
Code 862F06C0 ZwSetSystemInformation
Code 862C8DB8 ZwWriteFile
Code 85EFB8EF NtDuplicateObject
Code 862C8C87 NtSetInformationFile
Code 862C8DB7 NtWriteFile

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!IoGetBootDiskInformation + 66F 80575817 7 Bytes JMP 862F0594
PAGE ntkrnlpa.exe!NtSetInformationFile 80579EAC 7 Bytes JMP 862C8C8C
PAGE ntkrnlpa.exe!NtWriteFile 8057BD6A 7 Bytes JMP 862C8DBC
PAGE ntkrnlpa.exe!ObCloseHandle + 17 805BB0A5 7 Bytes JMP 862C8EEC
PAGE ntkrnlpa.exe!NtDuplicateObject 805BCA86 7 Bytes JMP 85EFB8F4
PAGE ntkrnlpa.exe!ZwSetSystemInformation 8060DDA8 5 Bytes JMP 862F06C4
PAGE Fastfat.SYS A9F18948 7 Bytes JMP 85EFBA24

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Fastfat \FatCdrom Code 85EFBA20
Device \FileSystem\Fastfat \Fat Code 85EFBA20
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.14 ----

Thanks again...and again...and again!

#14 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:32 PM

Posted 16 August 2008 - 10:15 PM

Hi,

Thanks for the logs.

Click start> run> type gmer and hit enter.
Gmer starts...
It goes thru a "pre scan"...
Once that is done..
Right click in the open Gmer window> Options.
Checkmark "Only non ms files"
Leave "File version info" checked and the other 3 above unchecked.
Hit "scan"
Save log when done & post it here.
Attach if too long to post please.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#15 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:32 PM

Posted 18 August 2008 - 06:34 PM

The log looked on the long side so I have attached.
Lynn

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users