Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby westbelfastlad » May 22nd, 2008, 10:48 am

Hi every1.. I think i may have a virus/trojan on my PC, which I cannot get rid of. System Restore is permanently turned off and I cannot change user on the PC. There are 2 users for my PC, The Administrator & another called Reception1. PC is currently logged on as Reception1 (which has administrator rights) but I cannot change over to the other user. However, when in SafeMode, I am able to change users easily. Antivirus finds a Trojan in 2 files called d3drmh.dll & d3dima.dll, both located in system32 folder. Antivirus software cannot clean, remove or quarantine these files. I've tried to delete/rename them via CMD promp but I get "access denied"... Please help!

HiJack this log below -
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:47:22, on 22/05/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Abbey\Introducer Internet Offline\MSSQL$ABBEYIIOFFLINE\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Windows\System32\NMSSvc.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15C280AC-5C7A-41CC-841A-A21EDB6E6DA9} - c:\windows\system32\d3drmh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8C70764E-0C5F-4527-81A0-A47CAC0213A1} - C:\WINDOWS\system32\d3dima.dll
O2 - BHO: (no name) - {9B0D498D-35A6-4D49-8B35-B58C8D538201} - c:\windows\system32\d3drmh.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 4882937265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4882912750
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://www.belfastcity.gov.uk/webcam/AxisCamControl.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D10D723F-9C66-529F-BDED-1866A82E0B52} - http://download.pcsupercharger.com/CabP ... harger.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/mwmus/tool/syst ... eatgpc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7D4216C-DE13-4491-A56D-C731FCFEC708} (MomentumHelper.Helper) - https://launchpad.landg.com/Fusion/pack ... Helper.CAB
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O20 - Winlogon Notify: gkpzhybm - C:\WINDOWS\SYSTEM32\d3drmh.dll
O20 - Winlogon Notify: ndfioezd - C:\WINDOWS\SYSTEM32\d3drmh.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7096 bytes
westbelfastlad
Regular Member
 
Posts: 18
Joined: May 22nd, 2008, 10:32 am
Advertisement
Register to Remove

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby MikeSwim07 » May 28th, 2008, 7:16 pm

Hello, and Image to the Malware Removal forums.
My name is Michael I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happen.

Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please note: All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply.

Thanks, Michael
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby westbelfastlad » May 29th, 2008, 4:30 am

Hi Michael - I'm Kevin and a big Northern Irish Thankyou for helping me out! Below is the uninstall list you require.

uninstall_list.txt


Abbey Introducer Offline
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 6.0.1
Alliance and Leicester Online Forms
AutoCAD 2006 - English
Autodesk DWF Viewer
Broadband Speed Test - v2.81
CCleaner (remove only)
Coloreal
CutePDF Writer 2.6
DivX Player
Easy Access Button Support
Factfind
Folio Client Database
goal viewer (offline) Trigold Edition
GPL_GhostScript
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
hp LaserJet 1005
ImageMixer VCD/DVD2 for OLYMPUS
INERTIA 2.15
INERTIA 2.18
Intel(R) 845G Chipset Graphics Driver Software
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
Intermediary Mortgages Application
Intranets Desktop Assistant
Java 2 Runtime Environment, SE v1.4.2
Kaspersky Online Scanner
Legal & General Launchpad
LGPSL Launchpad
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server Desktop Engine (LG_LP2)
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Mortgage Trading Exchange
mortgageLink Enterprise Edition
Mozilla Firefox (2.0.0.14)
MSDE
MSVC80_x86
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
NatWest One account illustration
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
Northern Rock Online
Norton AntiVirus Corporate Edition
OLYMPUS Master
Paymentshield INERTIA
PC Connectivity Solution
Prospector AAA
Questionmark Secure Version 4.2.0.0
QuickTime
RealPlayer
SafeGuard Illustration Software
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Select and Protect Quotation
Software Setup
SoundMAX
Spybot - Search & Destroy 1.3
StartMan
The One account calculator
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Windows Defender
Windows Defender Signatures
Windows Driver Package - Nokia Modem (03/05/2008 3.7)
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
ZoneAlarm Security Suite
You do not have the required permissions to view the files attached to this post.
westbelfastlad
Regular Member
 
Posts: 18
Joined: May 22nd, 2008, 10:32 am

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby MikeSwim07 » May 30th, 2008, 6:49 am

Sorry for the delay

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby westbelfastlad » May 30th, 2008, 8:02 am

Hi Michael - Thanks for reply.

combo-fix log attached (I had problems installing Recovery Console, however it is now installed).

como-fix file attached. Below is new Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:01:15, on 30/05/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Abbey\Introducer Internet Offline\MSSQL$ABBEYIIOFFLINE\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15C280AC-5C7A-41CC-841A-A21EDB6E6DA9} - c:\windows\system32\d3drmh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8C70764E-0C5F-4527-81A0-A47CAC0213A1} - C:\WINDOWS\system32\d3dima.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 4882937265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4882912750
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://www.belfastcity.gov.uk/webcam/AxisCamControl.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D10D723F-9C66-529F-BDED-1866A82E0B52} - http://download.pcsupercharger.com/CabP ... harger.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/mwmus/tool/syst ... eatgpc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7D4216C-DE13-4491-A56D-C731FCFEC708} (MomentumHelper.Helper) - https://launchpad.landg.com/Fusion/pack ... Helper.CAB
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O20 - Winlogon Notify: ndfioezd - C:\WINDOWS\SYSTEM32\d3drmh.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6791 bytes

Kevin
You do not have the required permissions to view the files attached to this post.
westbelfastlad
Regular Member
 
Posts: 18
Joined: May 22nd, 2008, 10:32 am

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby MikeSwim07 » May 31st, 2008, 7:36 am

For the future, please post logs directly to the thread, not as an attachment.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System


Image

You are using XP Professional Service Pack 2 (SP2), please choose this package to download.

Download the file & save it as it's originally named, next to ComboFix.exe.



Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Image

  • When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby westbelfastlad » June 2nd, 2008, 4:41 am

Michael - new combofix & Hijack this logs

ComboFix 08-05-29.1 - Reception1 Admin 2008-06-02 9:13:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.829 [GMT 1:00]
Running from: C:\Documents and Settings\Reception1 Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\d3drmh.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-05-30 10:25 . 2008-05-30 10:25 <DIR> d-------- C:\Program Files\Opera
2008-05-20 10:16 . 2008-05-20 10:16 <DIR> d-------- C:\Documents and Settings\Reception1 Admin\Application Data\Nokia Multimedia Player
2008-05-20 10:12 . 2008-05-23 14:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-20 10:12 . 2008-05-20 10:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-19 12:37 . 2008-05-19 12:37 <DIR> d-------- C:\focus
2008-05-14 11:11 . 2008-05-20 10:28 244 --ah----- C:\sqmnoopt19.sqm
2008-05-14 11:11 . 2008-05-20 10:28 232 --ah----- C:\sqmdata19.sqm
2008-05-13 11:55 . 2008-05-20 10:28 244 --ah----- C:\sqmnoopt18.sqm
2008-05-13 11:55 . 2008-05-20 10:28 232 --ah----- C:\sqmdata18.sqm
2008-05-13 11:53 . 2008-05-20 10:26 244 --ah----- C:\sqmnoopt17.sqm
2008-05-13 11:53 . 2008-05-20 10:26 232 --ah----- C:\sqmdata17.sqm
2008-05-12 09:40 . 2008-05-20 10:25 244 --ah----- C:\sqmnoopt16.sqm
2008-05-12 09:40 . 2008-05-20 10:25 232 --ah----- C:\sqmdata16.sqm
2008-05-08 16:28 . 2008-05-19 17:05 244 --ah----- C:\sqmnoopt15.sqm
2008-05-08 16:28 . 2008-05-19 17:05 232 --ah----- C:\sqmdata15.sqm
2008-05-06 11:13 . 2008-05-19 17:01 244 --ah----- C:\sqmnoopt14.sqm
2008-05-06 11:13 . 2008-05-19 17:01 232 --ah----- C:\sqmdata14.sqm
2008-05-06 11:12 . 2008-05-19 17:00 244 --ah----- C:\sqmnoopt13.sqm
2008-05-06 11:12 . 2008-05-19 17:00 232 --ah----- C:\sqmdata13.sqm
2008-05-02 15:19 . 2008-05-19 14:20 244 --ah----- C:\sqmnoopt12.sqm
2008-05-02 15:19 . 2008-05-19 14:20 232 --ah----- C:\sqmdata12.sqm
2008-05-02 09:15 . 2008-05-19 09:23 244 --ah----- C:\sqmnoopt11.sqm
2008-05-02 09:15 . 2008-05-19 09:23 232 --ah----- C:\sqmdata11.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 08:19 9,085,472 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-02 08:17 122,708 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-30 15:44 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\AdobeUM
2008-05-30 14:41 --------- d-----w C:\Program Files\Folio
2008-05-12 10:37 --------- d-----w C:\Program Files\Northern Rock Online
2008-04-22 08:04 20,608 ----a-w C:\WINDOWS\system32\drivers\ngeeomiz.dat
2008-04-17 14:40 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\MailFrontier
2008-04-17 14:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-17 12:04 59,040 ----a-w C:\Documents and Settings\Reception1 Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-04-17 10:58 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\Nokia
2008-04-17 10:47 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\PC Suite
2008-04-17 10:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-17 10:46 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-17 10:46 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-17 10:36 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-17 10:36 --------- d-----w C:\Program Files\Nokia
2008-04-17 10:36 --------- d-----w C:\Program Files\DIFX
2008-04-17 10:36 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-17 10:36 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-17 10:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-04-15 15:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 15:14 --------- d-----w C:\Program Files\Trend Micro
2008-04-14 14:22 --------- d-----w C:\Program Files\Intermediary Mortgages
2008-04-14 14:17 --------- d-----w C:\Program Files\Alliance and Leicester Online Forms
2008-04-09 10:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-08 14:27 --------- d-----w C:\Program Files\CCleaner
2008-04-08 11:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\zTrend Micro
2008-04-08 11:19 --------- d-----w C:\Program Files\Google
2008-04-08 11:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 10:42 --------- d-----w C:\Program Files\Sophos
2008-04-04 15:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-04 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-04 15:15 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\Symantec
2008-04-04 11:16 --------- d-----w C:\Program Files\SonicWallES
2008-04-03 15:41 --------- d-----w C:\Program Files\Zone Labs
2008-04-03 15:24 --------- d-----w C:\Program Files\NavNT
2008-04-03 15:23 --------- d-----w C:\Program Files\Symantec
2008-04-03 15:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-04-02 13:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 13:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-18 15:29 60,968 ----a-w C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
2008-03-13 22:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-02-07 15:00 59,040 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-10-31 09:22 557,056 ----a-w C:\Documents and Settings\Administrator\chatlnk.exe
2005-11-28 12:39 124 ---ha-w C:\Program Files\AppUpdate.log
.

((((((((((((((((((((((((((((( snapshot@2008-05-30_12.21.16.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 11:12:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-02 08:18:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2001-09-19 13:32:26 720,896 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\a3d.dll
+ 2002-08-22 16:57:02 98,752 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\AEAUDIO.sys
+ 2001-09-19 13:47:12 720,896 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\Audio3d.dll
+ 2001-10-03 13:14:04 381,200 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\migrate.dll
+ 2002-08-23 10:13:08 3,744 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\smsens.sys
+ 2002-08-23 13:46:22 549,672 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\smwdm.sys
+ 2001-07-14 16:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
- 2008-05-28 10:59:02 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-02 08:19:34 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-28 10:59:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-02 08:19:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-28 10:59:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-02 08:19:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-30 11:13:12 624,244 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-06-02 08:22:54 626,904 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-05-30 09:59:04 9,268,695 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-06-02 08:03:45 9,284,942 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-06-02 08:19:40 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_690.dat
+ 2008-06-02 08:19:42 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15C280AC-5C7A-41CC-841A-A21EDB6E6DA9}]
2008-05-30 12:10 86528 --a------ c:\windows\system32\d3drmh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C70764E-0C5F-4527-81A0-A47CAC0213A1}]
2008-03-05 11:44 98048 --a------ C:\WINDOWS\system32\d3dima.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-03-28 11:20 1079296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ndfioezd]
d3drmh.dll 2008-05-30 12:10 86528 C:\WINDOWS\system32\d3drmh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDA]
--a------ 2005-04-07 13:32 552960 c:\program files\intranets.com\intranets desktop assistant\INDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
--a------ 2002-02-21 01:40 143360 C:\Program Files\COMPAQ\Coloreal\coloreal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-04-03 18:12 777424 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\kav\\kis7.0\\english\\setup.exe"=

R0 miniwenw;miniwenw;C:\WINDOWS\system32\drivers\miniwenw.sys [2004-08-04 13:00]
R2 MSSQL$ABBEYIIOFFLINE;MSSQL$ABBEYIIOFFLINE;C:\Program Files\Abbey\Introducer Internet Offline\MSSQL$ABBEYIIOFFLINE\Binn\sqlservr.exe [2002-12-17 17:26]
R2 MSSQL$LG_LP2;MSSQL$LG_LP2;C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlservr.exe [2002-12-17 18:26]
S2 eqmbflmh;Audio Stub Helper;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
S2 NMSSvc;Intel(R) NMS;C:\Windows\System32\NMSSvc.exe [2002-03-04 23:35]
S3 pccsmcfd;PCCS Mode Change Filter Driver;C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 15:53]
S3 ProcObsrv;Process creation detector.;C:\Program Files\Questionmark\QS\ProcObsrv.sys [2003-08-29 04:00]
S3 SQLAgent$ABBEYIIOFFLINE;SQLAgent$ABBEYIIOFFLINE;C:\Program Files\Abbey\Introducer Internet Offline\MSSQL$ABBEYIIOFFLINE\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 SQLAgent$LG_LP2;SQLAgent$LG_LP2;C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlagent.EXE [2002-12-17 18:23]
S3 upperdev;upperdev;C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2007-11-29 10:39]
S3 UsbserFilt;UsbserFilt;C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2007-11-29 10:39]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
eqmbflmh

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 02:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-06-02 08:10:00 C:\WINDOWS\Tasks\Download.job"
- C:\Trigold\Download.exe
"2008-05-30 00:31:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 09:21:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\eqmbflmh]
"ServiceDll"="C:\WINDOWS\system32\d3drmh.old"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Windows\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-02 9:28:38 - machine was rebooted [Reception1 Admin]
ComboFix-quarantined-files.txt 2008-06-02 08:28:29
ComboFix2.txt 2008-05-30 11:22:53

Pre-Run: 23,789,588,480 bytes free
Post-Run: 23,798,755,328 bytes free

209 --- E O F --- 2008-05-14 15:46:27



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:40:04, on 02/06/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Abbey\Introducer Internet Offline\MSSQL$ABBEYIIOFFLINE\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15C280AC-5C7A-41CC-841A-A21EDB6E6DA9} - c:\windows\system32\d3drmh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8C70764E-0C5F-4527-81A0-A47CAC0213A1} - C:\WINDOWS\system32\d3dima.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 4882937265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4882912750
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://www.belfastcity.gov.uk/webcam/AxisCamControl.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D10D723F-9C66-529F-BDED-1866A82E0B52} - http://download.pcsupercharger.com/CabP ... harger.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/mwmus/tool/syst ... eatgpc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7D4216C-DE13-4491-A56D-C731FCFEC708} (MomentumHelper.Helper) - https://launchpad.landg.com/Fusion/pack ... Helper.CAB
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O20 - Winlogon Notify: ndfioezd - C:\WINDOWS\SYSTEM32\d3drmh.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6694 bytes
westbelfastlad
Regular Member
 
Posts: 18
Joined: May 22nd, 2008, 10:32 am

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby MikeSwim07 » June 4th, 2008, 7:00 am

Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
KILLALL::

File::

C:\WINDOWS\system32\drivers\ngeeomiz.dat
c:\windows\system32\d3drmh.dll
C:\WINDOWS\system32\d3dima.dll
C:\WINDOWS\system32\d3drmh.old

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15C280AC-5C7A-41CC-841A-A21EDB6E6DA9}]


[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C70764E-0C5F-4527-81A0-A47CAC0213A1}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ndfioezd]

[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\eqmbflmh]

Driver::
ngeeomiz
eqmbflmh

NetSvc:
eqmbflmh

DirLook::
C:\focus
C:\Documents and Settings\All Users\Application Data\zTrend Micro




Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

On your next reply, please post this log.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby westbelfastlad » June 4th, 2008, 10:33 am

Michael - log below

ComboFix 08-05-29.1 - Reception1 Admin 2008-06-04 15:06:35.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.873 [GMT 1:00]
Running from: C:\Documents and Settings\Reception1 Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Reception1 Admin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\d3dima.dll
c:\windows\system32\d3drmh.dll
C:\WINDOWS\system32\d3drmh.old
C:\WINDOWS\system32\drivers\ngeeomiz.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\ngeeomiz.dat
C:\WINDOWS\system32\d3dima.dll . . . . failed to delete
c:\windows\system32\d3drmh.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EQMBFLMH
-------\Service_eqmbflmh


((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-05-30 10:25 . 2008-05-30 10:25 <DIR> d-------- C:\Program Files\Opera
2008-05-20 10:16 . 2008-05-20 10:16 <DIR> d-------- C:\Documents and Settings\Reception1 Admin\Application Data\Nokia Multimedia Player
2008-05-20 10:12 . 2008-06-02 13:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-20 10:12 . 2008-05-20 10:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-19 12:37 . 2008-05-19 12:37 <DIR> d-------- C:\focus
2008-05-14 11:11 . 2008-05-20 10:28 244 --ah----- C:\sqmnoopt19.sqm
2008-05-14 11:11 . 2008-05-20 10:28 232 --ah----- C:\sqmdata19.sqm
2008-05-13 11:55 . 2008-05-20 10:28 244 --ah----- C:\sqmnoopt18.sqm
2008-05-13 11:55 . 2008-05-20 10:28 232 --ah----- C:\sqmdata18.sqm
2008-05-13 11:53 . 2008-05-20 10:26 244 --ah----- C:\sqmnoopt17.sqm
2008-05-13 11:53 . 2008-05-20 10:26 232 --ah----- C:\sqmdata17.sqm
2008-05-12 09:40 . 2008-05-20 10:25 244 --ah----- C:\sqmnoopt16.sqm
2008-05-12 09:40 . 2008-05-20 10:25 232 --ah----- C:\sqmdata16.sqm
2008-05-08 16:28 . 2008-05-19 17:05 244 --ah----- C:\sqmnoopt15.sqm
2008-05-08 16:28 . 2008-05-19 17:05 232 --ah----- C:\sqmdata15.sqm
2008-05-06 11:13 . 2008-05-19 17:01 244 --ah----- C:\sqmnoopt14.sqm
2008-05-06 11:13 . 2008-05-19 17:01 232 --ah----- C:\sqmdata14.sqm
2008-05-06 11:12 . 2008-05-19 17:00 244 --ah----- C:\sqmnoopt13.sqm
2008-05-06 11:12 . 2008-05-19 17:00 232 --ah----- C:\sqmdata13.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 14:18 9,578,272 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-04 14:12 129,284 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-04 13:34 --------- d-----w C:\Program Files\Folio
2008-06-04 10:57 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\AdobeUM
2008-05-12 10:37 --------- d-----w C:\Program Files\Northern Rock Online
2008-04-17 14:40 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\MailFrontier
2008-04-17 14:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-17 12:04 59,040 ----a-w C:\Documents and Settings\Reception1 Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-04-17 10:58 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\Nokia
2008-04-17 10:47 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\PC Suite
2008-04-17 10:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-17 10:46 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-17 10:46 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-17 10:36 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-17 10:36 --------- d-----w C:\Program Files\Nokia
2008-04-17 10:36 --------- d-----w C:\Program Files\DIFX
2008-04-17 10:36 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-17 10:36 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-17 10:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-04-15 15:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 15:14 --------- d-----w C:\Program Files\Trend Micro
2008-04-14 14:22 --------- d-----w C:\Program Files\Intermediary Mortgages
2008-04-14 14:17 --------- d-----w C:\Program Files\Alliance and Leicester Online Forms
2008-04-09 10:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-08 14:27 --------- d-----w C:\Program Files\CCleaner
2008-04-08 11:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\zTrend Micro
2008-04-08 11:19 --------- d-----w C:\Program Files\Google
2008-04-08 11:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 10:42 --------- d-----w C:\Program Files\Sophos
2008-04-04 15:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-04 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-04 15:15 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\Symantec
2008-04-04 11:16 --------- d-----w C:\Program Files\SonicWallES
2008-03-18 15:29 60,968 ----a-w C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
2008-03-13 22:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-02-07 15:00 59,040 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-10-31 09:22 557,056 ----a-w C:\Documents and Settings\Administrator\chatlnk.exe
2005-11-28 12:39 124 ---ha-w C:\Program Files\AppUpdate.log
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\zTrend Micro ----

2008-03-31 11:49 0 d-------- C:\Documents and Settings\All Users\Application Data\zTrend Micro\OL\engine\01\

---- Directory of C:\focus ----

2004-05-28 02:02 78 -ra------ C:\focus\Pacs\ReadmePacs.txt


((((((((((((((((((((((((((((( snapshot@2008-05-30_12.21.16.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 11:12:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-04 14:12:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2001-09-19 13:32:26 720,896 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\a3d.dll
+ 2002-08-22 16:57:02 98,752 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\AEAUDIO.sys
+ 2001-09-19 13:47:12 720,896 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\Audio3d.dll
+ 2001-10-03 13:14:04 381,200 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\migrate.dll
+ 2002-08-23 10:13:08 3,744 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\smsens.sys
+ 2002-08-23 13:46:22 549,672 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\smwdm.sys
+ 2001-07-14 16:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
- 2008-05-28 10:59:02 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-04 07:50:16 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-28 10:59:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-04 07:50:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-28 10:59:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-04 07:50:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-30 11:13:12 624,244 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-06-04 14:13:29 630,992 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-05-30 09:59:04 9,268,695 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-06-04 12:58:59 9,337,253 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-06-04 14:13:39 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_628.dat
+ 2008-06-04 14:13:40 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_798.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15C280AC-5C7A-41CC-841A-A21EDB6E6DA9}]
2008-05-30 12:10 86528 --a------ c:\windows\system32\d3drmh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C70764E-0C5F-4527-81A0-A47CAC0213A1}]
2008-03-05 11:44 98048 --a------ C:\WINDOWS\system32\d3dima.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-03-28 11:20 1079296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ndfioezd]
d3drmh.dll 2008-05-30 12:10 86528 C:\WINDOWS\system32\d3drmh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDA]
--a------ 2005-04-07 13:32 552960 c:\program files\intranets.com\intranets desktop assistant\INDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
--a------ 2002-02-21 01:40 143360 C:\Program Files\COMPAQ\Coloreal\coloreal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-04-03 18:12 777424 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\kav\\kis7.0\\english\\setup.exe"=

R0 miniwenw;miniwenw;C:\WINDOWS\system32\drivers\miniwenw.sys [2004-08-04 13:00]
R2 MSSQL$ABBEYIIOFFLINE;MSSQL$ABBEYIIOFFLINE;C:\Program Files\Abbey\Introducer Internet Offline\MSSQL$ABBEYIIOFFLINE\Binn\sqlservr.exe [2002-12-17 17:26]
R2 MSSQL$LG_LP2;MSSQL$LG_LP2;C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlservr.exe [2002-12-17 18:26]
S2 NMSSvc;Intel(R) NMS;C:\Windows\System32\NMSSvc.exe [2002-03-04 23:35]
S3 pccsmcfd;PCCS Mode Change Filter Driver;C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 15:53]
S3 ProcObsrv;Process creation detector.;C:\Program Files\Questionmark\QS\ProcObsrv.sys [2003-08-29 04:00]
S3 SQLAgent$ABBEYIIOFFLINE;SQLAgent$ABBEYIIOFFLINE;C:\Program Files\Abbey\Introducer Internet Offline\MSSQL$ABBEYIIOFFLINE\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 SQLAgent$LG_LP2;SQLAgent$LG_LP2;C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlagent.EXE [2002-12-17 18:23]
S3 upperdev;upperdev;C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2007-11-29 10:39]
S3 UsbserFilt;UsbserFilt;C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2007-11-29 10:39]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
eqmbflmh

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 02:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-06-04 08:10:00 C:\WINDOWS\Tasks\Download.job"
- C:\Trigold\Download.exe
"2008-05-30 00:31:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 15:16:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Windows\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
.
**************************************************************************
.
Completion time: 2008-06-04 15:24:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-04 14:22:52
ComboFix2.txt 2008-06-02 08:28:43
ComboFix3.txt 2008-05-30 11:22:53

Pre-Run: 23,474,085,888 bytes free
Post-Run: 23,617,585,152 bytes free

217 --- E O F --- 2008-05-14 15:46:27
westbelfastlad
Regular Member
 
Posts: 18
Joined: May 22nd, 2008, 10:32 am

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby MikeSwim07 » June 4th, 2008, 4:19 pm

Please disable the anti-virus component of your ZoneAlarm Security Suite. If you cannot figure out how to do this, please do NOT continue with the rest of the fix.

Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
KILLALL::

File::
C:\WINDOWS\system32\d3dima.dll
C:\WINDOWS\system32\d3drmh.dll

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15C280AC-5C7A-41CC-841A-A21EDB6E6DA9}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C70764E-0C5F-4527-81A0-A47CAC0213A1}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ndfioezd]

Driver::
eqmbflmh

NetSvc:
eqmbflmh


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

On your next reply, please post this log.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby westbelfastlad » June 5th, 2008, 4:53 am

ComboFix 08-05-29.1 - Reception1 Admin 2008-06-05 9:24:09.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.851 [GMT 1:00]
Running from: C:\Documents and Settings\Reception1 Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Reception1 Admin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\d3dima.dll
C:\WINDOWS\system32\d3drmh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\d3dima.dll . . . . failed to delete
C:\WINDOWS\system32\d3drmh.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-05-30 10:25 . 2008-05-30 10:25 <DIR> d-------- C:\Program Files\Opera
2008-05-20 10:16 . 2008-05-20 10:16 <DIR> d-------- C:\Documents and Settings\Reception1 Admin\Application Data\Nokia Multimedia Player
2008-05-20 10:12 . 2008-06-02 13:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-20 10:12 . 2008-05-20 10:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-19 12:37 . 2008-05-19 12:37 <DIR> d-------- C:\focus
2008-05-14 11:11 . 2008-05-20 10:28 244 --ah----- C:\sqmnoopt19.sqm
2008-05-14 11:11 . 2008-05-20 10:28 232 --ah----- C:\sqmdata19.sqm
2008-05-13 11:55 . 2008-05-20 10:28 244 --ah----- C:\sqmnoopt18.sqm
2008-05-13 11:55 . 2008-05-20 10:28 232 --ah----- C:\sqmdata18.sqm
2008-05-13 11:53 . 2008-05-20 10:26 244 --ah----- C:\sqmnoopt17.sqm
2008-05-13 11:53 . 2008-05-20 10:26 232 --ah----- C:\sqmdata17.sqm
2008-05-12 09:40 . 2008-05-20 10:25 244 --ah----- C:\sqmnoopt16.sqm
2008-05-12 09:40 . 2008-05-20 10:25 232 --ah----- C:\sqmdata16.sqm
2008-05-08 16:28 . 2008-05-19 17:05 244 --ah----- C:\sqmnoopt15.sqm
2008-05-08 16:28 . 2008-05-19 17:05 232 --ah----- C:\sqmdata15.sqm
2008-05-06 11:13 . 2008-05-19 17:01 244 --ah----- C:\sqmnoopt14.sqm
2008-05-06 11:13 . 2008-05-19 17:01 232 --ah----- C:\sqmdata14.sqm
2008-05-06 11:12 . 2008-05-19 17:00 244 --ah----- C:\sqmnoopt13.sqm
2008-05-06 11:12 . 2008-05-19 17:00 232 --ah----- C:\sqmdata13.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 08:39 9,669,664 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-05 08:33 130,508 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-05 07:57 2,010,350 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-04 13:34 --------- d-----w C:\Program Files\Folio
2008-06-04 10:57 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\AdobeUM
2008-05-23 15:49 2,656,256 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-05-16 06:26 2,166,272 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-05-12 10:37 --------- d-----w C:\Program Files\Northern Rock Online
2008-04-25 10:57 2,107,392 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-04-18 08:58 2,042,368 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-17 14:40 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\MailFrontier
2008-04-17 14:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-17 12:04 59,040 ----a-w C:\Documents and Settings\Reception1 Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-04-17 10:58 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\Nokia
2008-04-17 10:47 --------- d-----w C:\Documents and Settings\Reception1 Admin\Application Data\PC Suite
2008-04-17 10:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-17 10:46 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-17 10:46 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-17 10:36 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-17 10:36 --------- d-----w C:\Program Files\Nokia
2008-04-17 10:36 --------- d-----w C:\Program Files\DIFX
2008-04-17 10:36 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-17 10:36 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-17 10:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-04-15 15:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 15:14 --------- d-----w C:\Program Files\Trend Micro
2008-04-14 14:22 --------- d-----w C:\Program Files\Intermediary Mortgages
2008-04-14 14:17 --------- d-----w C:\Program Files\Alliance and Leicester Online Forms
2008-04-09 10:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-08 14:27 --------- d-----w C:\Program Files\CCleaner
2008-04-08 11:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\zTrend Micro
2008-04-08 11:19 --------- d-----w C:\Program Files\Google
2008-04-08 11:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 10:42 --------- d-----w C:\Program Files\Sophos
2008-03-18 15:29 60,968 ----a-w C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
2008-03-13 22:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-02-07 15:00 59,040 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-10-31 09:22 557,056 ----a-w C:\Documents and Settings\Administrator\chatlnk.exe
2005-11-28 12:39 124 ---ha-w C:\Program Files\AppUpdate.log
.

((((((((((((((((((((((((((((( snapshot@2008-05-30_12.21.16.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 11:12:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 08:33:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2001-09-19 13:32:26 720,896 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\a3d.dll
+ 2002-08-22 16:57:02 98,752 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\AEAUDIO.sys
+ 2001-09-19 13:47:12 720,896 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\Audio3d.dll
+ 2001-10-03 13:14:04 381,200 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\migrate.dll
+ 2002-08-23 10:13:08 3,744 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\smsens.sys
+ 2002-08-23 13:46:22 549,672 ----a-w C:\WINDOWS\setupupd\dudrvs\4115762\smwdm.sys
+ 2001-07-14 16:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
- 2008-05-28 10:59:02 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-05 08:34:21 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-28 10:59:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-05 08:34:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-28 10:59:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-05 08:34:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-13 10:25:07 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2008-06-05 07:58:52 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
- 2008-05-30 11:13:12 624,244 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-06-05 08:32:50 631,720 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-05-30 09:59:04 9,268,695 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-06-04 12:58:59 9,337,253 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-06-05 08:34:22 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_5d0.dat
+ 2008-06-05 08:34:24 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_634.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15C280AC-5C7A-41CC-841A-A21EDB6E6DA9}]
2008-05-30 12:10 86528 --a------ c:\windows\system32\d3drmh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C70764E-0C5F-4527-81A0-A47CAC0213A1}]
2008-03-05 11:44 98048 --a------ C:\WINDOWS\system32\d3dima.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-03-28 11:20 1079296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ndfioezd]
d3drmh.dll 2008-05-30 12:10 86528 C:\WINDOWS\system32\d3drmh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDA]
--a------ 2005-04-07 13:32 552960 c:\program files\intranets.com\intranets desktop assistant\INDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
--a------ 2002-02-21 01:40 143360 C:\Program Files\COMPAQ\Coloreal\coloreal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-04-03 18:12 777424 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\kav\\kis7.0\\english\\setup.exe"=

R0 miniwenw;miniwenw;C:\WINDOWS\system32\drivers\miniwenw.sys [2004-08-04 13:00]
R2 MSSQL$ABBEYIIOFFLINE;MSSQL$ABBEYIIOFFLINE;C:\Program Files\Abbey\Introducer Internet Offline\MSSQL$ABBEYIIOFFLINE\Binn\sqlservr.exe [2002-12-17 17:26]
R2 MSSQL$LG_LP2;MSSQL$LG_LP2;C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlservr.exe [2002-12-17 18:26]
R2 NMSSvc;Intel(R) NMS;C:\Windows\System32\NMSSvc.exe [2002-03-04 23:35]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-03-04 23:35]
S3 pccsmcfd;PCCS Mode Change Filter Driver;C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 15:53]
S3 ProcObsrv;Process creation detector.;C:\Program Files\Questionmark\QS\ProcObsrv.sys [2003-08-29 04:00]
S3 SQLAgent$ABBEYIIOFFLINE;SQLAgent$ABBEYIIOFFLINE;C:\Program Files\Abbey\Introducer Internet Offline\MSSQL$ABBEYIIOFFLINE\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 SQLAgent$LG_LP2;SQLAgent$LG_LP2;C:\Program Files\Microsoft SQL Server\MSSQL$LG_LP2\Binn\sqlagent.EXE [2002-12-17 18:23]
S3 upperdev;upperdev;C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2007-11-29 10:39]
S3 UsbserFilt;UsbserFilt;C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2007-11-29 10:39]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
eqmbflmh

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 02:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-06-05 08:10:00 C:\WINDOWS\Tasks\Download.job"
- C:\Trigold\Download.exe
"2008-05-30 00:31:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 09:37:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Windows\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
.
**************************************************************************
.
Completion time: 2008-06-05 9:42:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 08:42:11
ComboFix2.txt 2008-06-04 14:24:14
ComboFix3.txt 2008-06-02 08:28:43
ComboFix4.txt 2008-05-30 11:22:53

Pre-Run: 23,572,819,968 bytes free
Post-Run: 23,555,514,368 bytes free

208 --- E O F --- 2008-05-14 15:46:27
westbelfastlad
Regular Member
 
Posts: 18
Joined: May 22nd, 2008, 10:32 am

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby MikeSwim07 » June 6th, 2008, 6:53 am

Upload a File to Virustotal
Please visit Virustotal
  • Click the Browse... button
  • Navigate to the file C:\WINDOWS\system32\drivers\miniwenw.sys
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby westbelfastlad » June 6th, 2008, 7:54 am

Antivirus Version Last Update Result
AhnLab-V3 2008.5.30.1 2008.06.05 -
AntiVir 7.8.0.26 2008.06.06 -
Authentium 5.1.0.4 2008.06.06 -
Avast 4.8.1195.0 2008.06.06 -
AVG 7.5.0.516 2008.06.06 -
BitDefender 7.2 2008.06.06 -
CAT-QuickHeal 9.50 2008.06.05 -
ClamAV 0.92.1 2008.06.06 -
DrWeb 4.44.0.09170 2008.06.06 -
eSafe 7.0.15.0 2008.06.05 -
eTrust-Vet 31.6.5853 2008.06.06 -
Ewido 4.0 2008.06.06 -
F-Prot 4.4.4.56 2008.06.05 -
F-Secure 6.70.13260.0 2008.06.06 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.06.06 -
GData 2.0.7306.1023 2008.06.06 -
Ikarus T3.1.1.26.0 2008.06.06 -
Kaspersky 7.0.0.125 2008.06.06 -
McAfee 5311 2008.06.05 -
Microsoft 1.3604 2008.06.06 -
NOD32v2 3163 2008.06.06 -
Norman 5.80.02 2008.06.06 -
Panda 9.0.0.4 2008.06.05 -
Prevx1 V2 2008.06.06 -
Rising 20.47.40.00 2008.06.06 -
Sophos 4.30.0 2008.06.06 -
Sunbelt 3.0.1145.1 2008.06.05 -
Symantec 10 2008.06.06 -
TheHacker 6.2.92.337 2008.06.06 -
VBA32 3.12.6.7 2008.06.05 -
VirusBuster 4.3.26:9 2008.06.05 -
Webwasher-Gateway 6.6.2 2008.06.06 -
Additional information
File size: 22016 bytes
MD5...: a8f8452dbf0ca9ac51ec490fd253e5d3
SHA1..: 2ce8c793d179327e115e2a7bf5173f4f39744a27
SHA256: ff2888d9c4ea6e52c240f44c8cbe9a6a4cc4524dba074862df7190a9c7a3501d
SHA512: fc0332d9ae307629f4cfc0a44e36ef09dcc9c89aae617827b583d329541414ff
b3ad52237682eefacc4199d7e554b7f0cd383500fc03854b9f9e228b8017ffdd
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10270
timedatestamp.....: 0x4027d59f (Mon Feb 09 18:46:55 2004)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x270 0x1b10 0x1b10 6.98 4b95f635c755b05674c9ea1148eb6f45
.rdata 0x1d80 0x238 0x240 2.60 095f664a240556581f4df65304e0bcf2
.data 0x1fc0 0x460 0x460 3.51 78e6143e568b6e8a3e492aaac58880f4
.idata 0x2420 0x2ec 0x2f0 4.81 6a0a8f2ab1921754355a34788c04b334
.zgyc 0x2710 0x26f1 0x26f1 7.61 3724c3e42f297f50ba61ef6d1de8c702
.rsrc 0x4e01 0x654 0x660 3.47 6f1d0c5427d64c76aa677c3f80e9a5a1
.reloc 0x5461 0xe90172 0x180 5.94 70bfba50d7322e8d93b11cf14e574dfe

( 3 imports )
> STREAM.SYS: StreamClassDeviceNotification, StreamClassStreamNotification, StreamClassRegisterAdapter
> NTOSKRNL.EXE: ExAllocatePoolWithTag, IoCreateSymbolicLink, IofCompleteRequest, PoStartNextPowerIrp, InterlockedExchange, RtlInitUnicodeString, ZwSetValueKey, ZwClose, ZwOpenKey, IoOpenDeviceRegistryKey, strchr, RtlUnicodeStringToAnsiString, RtlInitAnsiString, wcsncmp, ZwCreateKey, ExFreePool, ZwQueryValueKey
> HAL.DLL: KeQueryPerformanceCounter

( 0 exports )

packers (Kaspersky): PE_Patch


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
westbelfastlad
Regular Member
 
Posts: 18
Joined: May 22nd, 2008, 10:32 am

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby MikeSwim07 » June 6th, 2008, 5:03 pm

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all
regedit.exe /e C:\reglook.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost"
notepad C:\reglook.txt


Click on File > Save As....

In the File Name box, copy and paste in reglook.bat

In the Save As Type box, select All Files from the drop-down list.

Click Save.

Double click on reglook.bat to run it. Command Prompt will open, followed by Notepad shortly afterwards. Please post the contents of this Notepad file in your next reply.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: HELP NEEDED - SYSTEM RESTORE & CHANGE USER PROBLEMS

Unread postby westbelfastlad » June 9th, 2008, 3:59 am

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"LocalService"=hex(7):41,00,6c,00,65,00,72,00,74,00,65,00,72,00,00,00,57,00,65,\
00,62,00,43,00,6c,00,69,00,65,00,6e,00,74,00,00,00,4c,00,6d,00,48,00,6f,00,\
73,00,74,00,73,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,52,00,65,00,67,\
00,69,00,73,00,74,00,72,00,79,00,00,00,75,00,70,00,6e,00,70,00,68,00,6f,00,\
73,00,74,00,00,00,53,00,53,00,44,00,50,00,53,00,52,00,56,00,00,00,00,00
"NetworkService"=hex(7):44,00,6e,00,73,00,43,00,61,00,63,00,68,00,65,00,00,00,\
00,00
"netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,65,00,71,00,6d,00,62,00,66,00,\
6c,00,6d,00,68,00,00,00,43,00,72,00,79,00,70,00,74,00,53,00,76,00,63,00,00,\
00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,00,44,00,48,00,43,00,\
50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,76,00,65,00,6e,00,74,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,00,73,00,74,00,55,00,\
73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,69,00,6e,00,67,00,43,\
00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,00,69,00,74,00,79,00,\
00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,49,00,61,00,73,00,00,\
00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,00,6f,00,6e,00,00,00,\
4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,00,6b,00,73,00,74,00,\
61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,73,00,65,00,6e,00,67,\
00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,4e,00,6c,00,\
61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,00,00,4e,00,57,00,43,\
00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,\
4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,74,00,00,00,52,00,61,\
00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,00,6d,00,61,00,6e,00,\
00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,63,00,65,00,73,00,73,\
00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,00,00,00,53,00,65,00,\
63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,4e,00,53,00,00,00,53,\
00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,00,73,00,73,00,00,00,\
53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00,54,00,61,00,70,\
00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,00,65,00,73,00,00,00,\
54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,32,00,54,00,69,00,6d,\
00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,00,57,00,6d,00,69,00,\
00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,00,00,77,00,69,00,6e,\
00,6d,00,67,00,6d,00,74,00,00,00,77,00,73,00,63,00,73,00,76,00,63,00,00,00,\
78,00,6d,00,6c,00,70,00,72,00,6f,00,76,00,00,00,42,00,49,00,54,00,53,00,00,\
00,77,00,75,00,61,00,75,00,73,00,65,00,72,00,76,00,00,00,53,00,68,00,65,00,\
6c,00,6c,00,48,00,57,00,44,00,65,00,74,00,65,00,63,00,74,00,69,00,6f,00,6e,\
00,00,00,68,00,65,00,6c,00,70,00,73,00,76,00,63,00,00,00,00,00
"rpcss"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"imgsvc"=hex(7):53,00,74,00,69,00,53,00,76,00,63,00,00,00,00,00
"termsvcs"=hex(7):54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,\
65,00,00,00,00,00
"HTTPFilter"=hex(7):48,00,54,00,54,00,50,00,46,00,69,00,6c,00,74,00,65,00,72,\
00,00,00,00,00
"DcomLaunch"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,68,\
00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,00,00
"WudfServiceGroup"=hex(7):57,00,55,00,44,00,46,00,53,00,76,00,63,00,00,00,00,\
00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\DComLaunch]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\HTTPFilter]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00002000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00003020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\PCHealth]
"CoInitializeSecurityParam"=dword:00000002
"AuthenticationCapabilities"=dword:00000040

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\termsvcs]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008
westbelfastlad
Regular Member
 
Posts: 18
Joined: May 22nd, 2008, 10:32 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: mAL_rEm018 and 26 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware