Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Program Files is not accessible. Access is denied. [RESOLVED]


  • This topic is locked This topic is locked

#1
spherimorph

spherimorph

    Member

  • Member
  • PipPip
  • 12 posts
I have administrative rights on my computer, yet I'm somehow unable to access my Program Files. Only my account appears to have this problem as my other admin accounts can view the folder without any problems. I've scanned my computer for viruses and spyware with Zone Alarm and AVG, but the problem persists.

My HJT log is as follows. Any help would be greatly appreciated :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:07 AM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Documents and Settings\Kevin\Desktop\HiJackThis!\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-842925246-2049760794-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Gordon')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1168892544827
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168989954171
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c004C2D.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6534 bytes
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O20 - AppInit_DLLs: C:\WINDOWS\system32\__c004C2D.dat

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\__c004C2D.dat

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

  • 0

#3
spherimorph

spherimorph

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Malwarebytes' Anti-Malware 1.11
Database version: 690

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 205101
Time elapsed: 4 hour(s), 52 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f06e2abe-3a50-4079-be25-fc100d9eaa25} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FMTR (Rogue.Multiple) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Gordon Zhang\Application Data\antispywaresuite (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Zhang\Application Data\antispywaresuite\Logs (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Zhang\Start Menu\Programs\VirusProtectPro 3.7 (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Gordon Zhang\Application Data\antispywaresuite\avtasks.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Zhang\Application Data\antispywaresuite\Logs\av.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Zhang\Application Data\antispywaresuite\Logs\ga6Support.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Zhang\Application Data\antispywaresuite\Logs\update.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Zhang\Start Menu\Programs\VirusProtectPro 3.7\Uninstall VirusProtectPro 3.7.lnk (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Zhang\Start Menu\Programs\VirusProtectPro 3.7\VirusProtectPro 3.7 Website.lnk (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Zhang\Start Menu\Programs\VirusProtectPro 3.7\VirusProtectPro 3.7.lnk (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Zhang\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusProtectPro 3.7.lnk (Rogue.VirusProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Zhang\Start Menu\VirusProtectPro 3.7.lnk (Rogue.VirusProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Zhang\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.




-----------------------------------------------------------------------




ComboFix 08-04-27.3 - Kevin 2008-04-28 15:09:31.1 - NTFSx86
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\WWXP6ISG\cnsminex_empty[1].htm
C:\Documents and Settings\Kevin\ResErrors.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FMTR


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-27 13:59 . 2008-04-27 13:59 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2008-04-27 13:58 . 2008-04-27 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-16 17:09 . 2008-04-28 14:35 1,430 --a--c--- C:\rollback.ini
2008-04-13 03:38 . 2008-04-13 03:38 268 --ah-c--- C:\sqmdata19.sqm
2008-04-13 03:38 . 2008-04-13 03:38 244 --ah-c--- C:\sqmnoopt19.sqm
2008-04-13 01:59 . 2008-04-13 01:59 268 --ah-c--- C:\sqmdata18.sqm
2008-04-13 01:59 . 2008-04-13 01:59 244 --ah-c--- C:\sqmnoopt18.sqm
2008-04-12 19:16 . 2008-04-12 19:16 268 --ah-c--- C:\sqmdata17.sqm
2008-04-12 19:16 . 2008-04-12 19:16 244 --ah-c--- C:\sqmnoopt17.sqm
2008-04-12 18:45 . 2008-04-12 18:45 <DIR> d-------- C:\Documents and Settings\Gordon\Application Data\TaxCut
2008-04-12 18:38 . 2008-04-12 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-04-09 03:59 . 2008-04-09 03:59 268 --ah-c--- C:\sqmdata16.sqm
2008-04-09 03:59 . 2008-04-09 03:59 244 --ah-c--- C:\sqmnoopt16.sqm
2008-04-06 02:10 . 2008-04-06 02:10 244 --ah-c--- C:\sqmnoopt15.sqm
2008-04-06 02:10 . 2008-04-06 02:10 232 --ah-c--- C:\sqmdata15.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 22:56 13,814,560 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-28 22:50 186,020 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-28 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-26 23:20 2,442,240 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2008-04-26 05:03 --------- d-----w C:\Documents and Settings\Kevin\Application Data\AVG7
2008-04-24 21:33 --------- d-----w C:\Documents and Settings\Kevin\Application Data\uTorrent
2008-04-24 10:22 3,493,376 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2008-04-14 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-23 03:16 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Viewpoint
2008-03-23 03:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-14 21:18 13,136,625 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-03-14 06:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-05 11:52 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Free Download Manager
2008-03-03 22:50 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 22:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-08 11:26 2,808,320 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-02-08 11:26 2,615,296 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2008-02-07 11:47 2,812,928 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-02-07 11:47 2,612,736 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
1601-01-01 00:00 0 ------w C:\Program Files\
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-03 06:54 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-07-20 22:07 7110656]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22 3739648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-12 16:35 185632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 15:59 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-04-25 09:38 579584 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-24 18:20 1266936 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-12 16:35 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-10-03 17:31 3256320 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\spherimorph\\condition zero\\hl.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Steam\\steamapps\\spherimorph\\counter-strike\\hl.exe"=
"C:\\Program Files\\Steam\\steamapps\\darkfl4m3\\counter-strike\\hl.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Eclipse\\eclipse.exe"=
"C:\\Program Files\\Eclipse\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Sierra\\Empire Earth II\\EE2.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 15:36]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 06:28]
S3 geebers12;geebers12;C:\Documents and Settings\Lisa\Desktop\Daniel\Buffy Engine\nvid888.sys []
S3 iMSPCLOj;iMSPCLOj;C:\DOCUME~1\KEVINZ~1\LOCALS~1\Temp\iMSPCLOj.sys []
S3 Kaspersky1;Kaspersky1;C:\Documents and Settings\Kevin\Desktop\Hacks\MapleStory\Kapersky\Kaspersky.sys []
S4 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2007-10-12 09:34]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-27 23:16:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 15:54:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
.
**************************************************************************
.
Completion time: 2008-04-28 16:04:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 23:04:31

Pre-Run: 2,028,834,816 bytes free
Post-Run: 3,598,225,408 bytes free

165 --- E O F --- 2008-04-09 10:10:52

Edited by spherimorph, 28 April 2008 - 05:18 PM.

  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Uninstall Viewpoint via the Add/Remove Programs panel.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
iMSPCLOj
geebers12
Kaspersky1
File::
C:\WINDOWS\Internet Logs\xDB1C.tmp
C:\WINDOWS\Internet Logs\xDB1B.tmp
C:\WINDOWS\Internet Logs\tvDebug.zip
C:\WINDOWS\Internet Logs\xDB19.tmp
C:\WINDOWS\Internet Logs\xDB1A.tmp
C:\WINDOWS\Internet Logs\xDB17.tmp
C:\WINDOWS\Internet Logs\xDB18.tmp
Folder::
C:\Documents and Settings\Kevin\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

#5
spherimorph

spherimorph

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ComboFix 08-04-27.3 - Kevin 2008-05-01 0:16:45.2 - NTFSx86
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Internet Logs\tvDebug.zip
C:\WINDOWS\Internet Logs\xDB17.tmp
C:\WINDOWS\Internet Logs\xDB18.tmp
C:\WINDOWS\Internet Logs\xDB19.tmp
C:\WINDOWS\Internet Logs\xDB1A.tmp
C:\WINDOWS\Internet Logs\xDB1B.tmp
C:\WINDOWS\Internet Logs\xDB1C.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\WINDOWS\Internet Logs\tvDebug.zip
C:\WINDOWS\Internet Logs\xDB17.tmp
C:\WINDOWS\Internet Logs\xDB18.tmp
C:\WINDOWS\Internet Logs\xDB19.tmp
C:\WINDOWS\Internet Logs\xDB1A.tmp
C:\WINDOWS\Internet Logs\xDB1B.tmp
C:\WINDOWS\Internet Logs\xDB1C.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GEEBERS12
-------\Legacy_IMSPCLOJ
-------\Legacy_KASPERSKY1
-------\Service_geebers12
-------\Service_iMSPCLOj
-------\Service_Kaspersky1


((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-04-29 16:34 . 2008-04-29 16:34 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\AVS4YOU
2008-04-29 16:33 . 2008-04-29 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-04-29 16:28 . 2008-04-29 17:26 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-04-27 13:59 . 2008-04-27 13:59 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2008-04-27 13:58 . 2008-04-27 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-16 17:09 . 2008-04-30 23:05 959 --a--c--- C:\rollback.ini
2008-04-13 03:38 . 2008-04-13 03:38 268 --ah-c--- C:\sqmdata19.sqm
2008-04-13 03:38 . 2008-04-13 03:38 244 --ah-c--- C:\sqmnoopt19.sqm
2008-04-13 01:59 . 2008-04-13 01:59 268 --ah-c--- C:\sqmdata18.sqm
2008-04-13 01:59 . 2008-04-13 01:59 244 --ah-c--- C:\sqmnoopt18.sqm
2008-04-12 19:16 . 2008-04-12 19:16 268 --ah-c--- C:\sqmdata17.sqm
2008-04-12 19:16 . 2008-04-12 19:16 244 --ah-c--- C:\sqmnoopt17.sqm
2008-04-12 18:45 . 2008-04-12 18:45 <DIR> d-------- C:\Documents and Settings\Gordon\Application Data\TaxCut
2008-04-12 18:38 . 2008-04-12 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-04-09 03:59 . 2008-04-09 03:59 268 --ah-c--- C:\sqmdata16.sqm
2008-04-09 03:59 . 2008-04-09 03:59 244 --ah-c--- C:\sqmnoopt16.sqm
2008-04-06 02:10 . 2008-04-06 02:10 244 --ah-c--- C:\sqmnoopt15.sqm
2008-04-06 02:10 . 2008-04-06 02:10 232 --ah-c--- C:\sqmdata15.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 07:38 14,081,568 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-01 07:30 189,620 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-30 07:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-29 23:08 2,793,472 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2008-04-29 23:08 1,796,608 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp
2008-04-29 22:53 2,792,960 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2008-04-26 05:03 --------- d-----w C:\Documents and Settings\Kevin\Application Data\AVG7
2008-04-24 21:33 --------- d-----w C:\Documents and Settings\Kevin\Application Data\uTorrent
2008-04-14 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-13 02:13 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2008-04-13 02:13 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2008-03-23 03:16 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Viewpoint
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 06:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-14 06:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-05 11:52 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Free Download Manager
2008-03-03 22:50 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 22:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
1601-01-01 00:00 0 ------w C:\Program Files\
.

((((((((((((((((((((((((((((( [email protected]_16.03.41.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 22:52:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-01 07:33:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-02-28 02:36:08 638,976 ----a-w C:\WINDOWS\system32\divx.dll
- 2008-04-13 02:18:55 240,736 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-30 14:17:40 241,536 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-02-28 02:36:14 1,700,352 ----a-w C:\WINDOWS\system32\GdiPlus.dll
+ 2007-02-28 02:36:08 261,632 ----a-w C:\WINDOWS\system32\mcdvd_32.dll
+ 2007-02-28 02:36:14 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
+ 2007-02-28 02:36:08 413,760 ----a-w C:\WINDOWS\system32\mpg4c32.dll
+ 2007-02-28 02:36:14 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
+ 2007-02-28 02:36:14 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
- 2001-03-09 02:30:00 24,064 ----a-w C:\WINDOWS\system32\msxml3a.dll
+ 2007-02-28 02:36:12 24,576 ----a-w C:\WINDOWS\system32\msxml3a.dll
- 2006-11-01 22:52:38 765,952 ----a-w C:\WINDOWS\system32\xvidcore.dll
+ 2007-02-28 02:36:08 524,288 ----a-w C:\WINDOWS\system32\xvidcore.dll
- 2006-11-01 22:54:30 180,224 ----a-w C:\WINDOWS\system32\xvidvfw.dll
+ 2007-02-28 02:36:08 139,264 ----a-w C:\WINDOWS\system32\xvidvfw.dll
- 2008-04-28 21:24:13 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2008-04-28 23:14:52 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
- 2008-04-28 21:36:04 566,060 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-05-01 06:05:44 575,076 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-04-25 15:07:26 8,849,255 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-04-30 23:24:52 8,900,532 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
- 2008-04-28 22:09:45 4,096 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2008-05-01 07:17:28 5,632 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2006-12-02 07:08:00 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 07:08:00 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 07:08:00 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 07:08:00 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 07:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 07:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 07:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 07:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 07:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 07:46:44 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-03 06:54 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-07-20 22:07 7110656]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22 3739648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-12 16:35 185632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 15:59 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-04-25 09:38 579584 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-24 18:20 1266936 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-12 16:35 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-10-03 17:31 3256320 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\spherimorph\\condition zero\\hl.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Steam\\steamapps\\spherimorph\\counter-strike\\hl.exe"=
"C:\\Program Files\\Steam\\steamapps\\darkfl4m3\\counter-strike\\hl.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Eclipse\\eclipse.exe"=
"C:\\Program Files\\Eclipse\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Sierra\\Empire Earth II\\EE2.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 15:36]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 06:28]
S4 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2007-10-12 09:34]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-27 23:16:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 00:35:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-01 0:44:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 07:44:21
ComboFix2.txt 2008-04-28 23:04:59

Pre-Run: 6,074,224,640 bytes free
Post-Run: 6,137,421,824 bytes free

230 --- E O F --- 2008-04-09 10:10:52






I'm still unable to access my Program Files folder :)
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
See the below two links to see if they help:

Castlecops - Take Ownership
TechSupportForum
  • 0

#7
spherimorph

spherimorph

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Turns out I didn't have full control enabled on this particular account. The second link helped; the problem's fixed now.

Thanks a lot for your time. I really appreciate it.

Edited by spherimorph, 01 May 2008 - 09:21 PM.

  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. Glad it's resolved now.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP