|
| ||
| extmgr32.dll problem 5 Attachment(s) I inadvertantly installed a virus because windows media player asked me to download a mp3codec and I accepted expecting that if it was a virus Norton would catch it. It mainly seems to effect Internet explorer. when I open it, it will open two windows with various ads ranging from adware removers to a porn site once, it seems to like search engines mainly. I have three users though and it seems that the first user to log in gets the previously mentioned symptoms. Any other user that logs on has Internet Explorer lock up on them on start up. I have went through the "Read me first" thread so I will post what all I have done: ran Atf-Cleaner went through add and remove programs ran windows malicious software removal tool downloaded and ran malawrebytes anti-malware ran the ESET Online scanner MBA-M Found quite a few things but didn't find the root of the problem everything keeps coming back. Windows malicious software removal tool didn't find anything. The ESET scanner would be what I say is the best, it finds everything, but when I look at the log it doesn't delete or clean everything successfully. one file bugs me, extmgr32.dll and I don't know how to delete it because it says access denied. I went to c:windows/system32/ and changed the name to extm.dll and something created another extmgr32.dll. I can delete the new extmgr32.dll but everytime I do a new one appears. The extm.dll I can't delete. I attached all the logs that I have, that I know where they are. I have an eset log a hijackthis log and three MBA-M logs two showing dirty and 1 showing clean. If anyone wants my Norton log and knows where it's at I'll get that for them. Also I have ran Windows Defender with nothing found. I searched extmgr32.dll on ask.com and found an antivirus site called Prevx CSI, I downloaded thier free trial and it found extmgr32.dll as a problem but you have to buy a license to clean it. I figure there's a good chance it will only clean it as good as ESET which after multiple boots and multiple scans has yet to successfully delete the main problem. Please and Thanks for any help you can give me. |
| ||
| Re: extmgr32.dll problem Hi welcome to daniweb, I am presently going through your logs and will post back ASAP, a request however, next time don't attach logs but copy pasted them to the post. Judy |
| ||
| Re: extmgr32.dll problem Ok, several things I see here in the logs. #1 the ESET scanner clearly says this in the log created at 6:01 Quote:
The first MBA-M scan was done at 7:09 and found and removed all those Adware.MyWebSearch, this was a Quick Scan not a full scan. The second MBA-M run was at 7:31 and nothing was found. The third MBA-M scan was done at 8:25, was a full scan and DID again find Adware.MyWebSearch BUT what this tells me is that this scan was done AFTER a reboot because all of these were found in your System Restore so they were of no harm unless you had used that restore point to do a system restore, I know you didn't, MBA-M then removed those items from System Restore so they should be gone now. The restore point was made when MBA-M first removed the Adware.MyWebSearch but didn't show up until you did a reboot. This is quite common for this to happen, it is a change to specific files so Windows automatically backs those up in case they are needed. You need to go in and UNINSTALL that Prevx CSI. It may have found something but it's website clearly says Quote:
I would like you to try the following AFTER Uninstalling the Prevx CSI program. Make sure that Windows Defender is TURNED OFF. Leave it off, the same goes for Diskeeper. There is no reason this program needs to be running at start up or running all the time. It can be run manually. Update MBA-M, there have been two database updates since you last updated. It is now database version 1401 your database version shows as 1399. Reboot the computer in Safe Mode Run MBA-M again, Full System Scan. Let's see if it will pick up more items. Let it fix everything it finds. Reboot if it is necessary for cleaning. After rebooting run a new HJT scan and place a check mark next to the following entries if they still exist. O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Morpheus Premium\Plugins\RazaWebHook.dll (file missing) O20 - AppInit_DLLs: C:\WINDOWS\System32\extmgr32.dll O20 - Winlogon Notify: 10f6fd16502 - C:\WINDOWS\System32\extmgr32.dll Once you have placed the check marks then click the Fix Checked button. Exit HJT. Reboot. Run a new scan with HJT and post back with THAT log and also the MBA-M log, and please only run MBA-M once as instructed. |
| ||
| Re: extmgr32.dll problem Yes, I did reboot after that scan. I have scanned with updated MBA-M and it found nothing. Logs posted below. Thanks. Malwarebytes' Anti-Malware 1.30 Database version: 1401 Windows 5.1.2600 Service Pack 3 11/16/2008 3:13:49 AM mbam-log-2008-11-16 (03-13-49).txt Scan type: Full Scan (C:\|) Objects scanned: 151992 Time elapsed: 52 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:52:16 AM, on 11/16/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\alg.exe C:\Documents and Settings\All Users\Documents\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSC...ws-i586-jc.cab O20 - AppInit_DLLs: C:\WINDOWS\System32\extmgr32.dll O20 - Winlogon Notify: 10f6fd16502 - C:\WINDOWS\System32\extmgr32.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 7197 bytes |
| ||
| Re: extmgr32.dll problem Well I see that the two extmgr32.dll entries are still in the log. So do the following. Please read this instructions carefully and follow them exactly. Download ComboFix Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop Do NOT open any unnecessary programs at this time. If you have IM programs which open automatically when booting, please close them completely. Make sure all browsers are closed completely. Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete. When you double click this combofix icon you may receive a warning note asking if you are sure you want to run the program. This is because combofix doesn't have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. Combofix will then show a screen stating it is preparing to run, ending with a disclaimer screen. You must accept this disclaimer by pressing "1". Then ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient. While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. When ComboFix has finished running, you will see a screen stating that it is preparing the log report This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically. Save this log to the desktop so that you can find it easily. Post back here with a copy/paste of that log. |
| ||
| Re: extmgr32.dll problem Ran combo fix as you said it wanted me to download some system restore manager or something like that, so I let it do that. Also when it was done there was a new internet explorer icon on my desktop. Should I use the new one or the old one? Here is the ComboFix Log. ComboFix 08-11-14.01 - Richard Fedie 2008-11-16 13:12:06.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2843 [GMT -6:00] Running from: c:\documents and settings\Richard Fedie\My Documents\antivirus\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Diana\Application Data\FunWebProducts c:\windows\system32\1.tmp c:\windows\system32\2.tmp c:\windows\system32\3.tmp c:\windows\system32\6.tmp . ((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 ))))))))))))))))))))))))))))))) . 2008-11-16 02:18 . 2008-11-16 02:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2008-11-16 02:17 . 2008-11-16 02:17 <DIR> d-------- c:\documents and settings\Administrator 2008-11-15 19:00 . 2008-11-16 01:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI 2008-11-15 16:17 . 2008-11-15 16:40 <DIR> d-------- c:\program files\EsetOnlineScanner 2008-11-14 21:16 . 2008-11-14 21:16 <DIR> d-------- c:\documents and settings\Diana\Application Data\Malwarebytes 2008-11-14 20:38 . 2008-11-14 20:38 <DIR> d-------- c:\documents and settings\Scott\Application Data\Malwarebytes 2008-11-14 19:02 . 2008-11-14 19:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-14 19:02 . 2008-11-14 19:02 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Malwarebytes 2008-11-14 19:02 . 2008-11-14 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-14 19:02 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-14 19:02 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-13 23:29 . 2008-11-13 23:29 <DIR> d-------- c:\program files\Windows Defender 2008-11-13 21:59 . 2008-11-13 22:07 23,392 --a------ c:\windows\system32\nscompat.tlb 2008-11-13 21:59 . 2008-11-13 22:07 16,832 --a------ c:\windows\system32\amcompat.tlb 2008-11-13 21:50 . 2008-04-14 06:00 221,184 --a------ c:\windows\system32\wmpns.dll 2008-11-13 19:50 . 2008-11-13 19:50 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\ErrorSmart 2008-11-13 18:46 . 2008-11-15 20:52 8,269 --a------ c:\windows\GnuHashes.ini 2008-11-13 18:36 . 2008-11-15 20:44 <DIR> d--hs---- c:\windows\system32\GroupPolicyManifest 2008-11-13 18:36 . 2008-11-15 20:28 135,168 --a------ c:\windows\system32\extmgr32.dll 2008-11-13 18:36 . 2008-11-15 20:44 1,848 --ahs---- c:\windows\system32\GroupPolicy000.dat 2008-11-11 18:12 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-08 11:36 . 2008-11-08 11:36 <DIR> d-------- c:\program files\Common Files\SWF Studio 2008-11-04 18:27 . 2008-11-04 18:27 0 --a------ c:\windows\PowerReg.dat 2008-11-04 18:21 . 2008-11-04 18:21 <DIR> d-------- c:\program files\Infogrames Interactive 2008-11-02 16:58 . 2008-11-02 16:58 <DIR> d-------- c:\documents and settings\Diana\Application Data\HP 2008-11-02 02:11 . 2008-11-05 21:41 <DIR> d-------- C:\CreatePhotoCalendars 2008-11-01 22:51 . 2008-11-01 22:51 <DIR> d-------- c:\program files\Nova Development 2008-11-01 22:51 . 2008-11-01 22:51 <DIR> d-------- c:\program files\Common Files\Nova Development 2008-10-30 11:42 . 2008-10-30 11:42 <DIR> d-------- c:\windows\Sun 2008-10-30 11:41 . 2008-10-30 11:41 <DIR> d-------- c:\program files\Java 2008-10-30 11:41 . 2008-11-03 23:23 <DIR> d-------- c:\program files\Google 2008-10-30 11:41 . 2008-10-30 11:41 410,976 --a------ c:\windows\system32\deploytk.dll 2008-10-30 11:41 . 2008-10-30 11:41 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-10-28 17:09 . 2008-10-28 17:09 0 --a------ c:\windows\system32\sam.ini 2008-10-28 14:25 . 2008-10-28 19:12 107,888 --a------ c:\windows\system32\CmdLineExt.dll 2008-10-28 12:19 . 2008-10-28 12:19 <DIR> d-------- c:\documents and settings\Scott\Application Data\Atari 2008-10-28 12:08 . 2008-10-28 12:08 <DIR> d-------- c:\documents and settings\Scott\Application Data\DivX 2008-10-26 20:48 . 2008-10-26 20:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SimCity Societies 2008-10-26 19:30 . 2008-10-26 19:30 <DIR> d-------- c:\documents and settings\Scott\Application Data\Yahoo! 2008-10-26 18:59 . 2008-10-26 18:59 <DIR> d-------- c:\documents and settings\Diana\Application Data\Yahoo! 2008-10-26 18:19 . 2008-10-26 18:19 <DIR> d-------- c:\program files\Electronic Arts 2008-10-26 18:08 . 2008-10-26 18:08 <DIR> d-------- c:\program files\Rockstar Games 2008-10-26 18:05 . 2008-10-26 18:05 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Yahoo! 2008-10-26 17:59 . 2008-11-04 07:44 <DIR> d-------- c:\program files\Yahoo! 2008-10-26 17:59 . 2008-10-27 12:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! 2008-10-26 17:56 . 2008-10-26 17:56 <DIR> d-------- c:\program files\Yahoo! Games 2008-10-26 17:42 . 2008-10-26 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\WEBREG 2008-10-26 17:32 . 2008-10-26 17:32 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\HP 2008-10-26 17:31 . 2008-10-26 17:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard 2008-10-26 17:31 . 2007-11-08 08:59 271,704 -ra------ c:\windows\system32\hpzids01.dll 2008-10-26 17:31 . 2007-10-20 17:25 117,760 --a------ c:\windows\system32\hpzll5mu.dll 2008-10-26 17:29 . 2008-10-26 17:29 <DIR> d-------- c:\program files\Common Files\HP 2008-10-26 17:29 . 2008-11-03 23:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP 2008-10-26 17:28 . 2008-11-03 23:18 <DIR> d-------- c:\program files\HP 2008-10-26 17:28 . 2008-04-13 23:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys 2008-10-26 17:28 . 2008-04-13 23:15 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys 2008-10-26 17:28 . 2008-04-13 23:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys 2008-10-26 17:27 . 2008-04-13 23:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys 2008-10-26 17:27 . 2008-04-13 23:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys 2008-10-26 17:25 . 2008-10-26 17:32 157,388 --a------ c:\windows\hphins26.dat 2008-10-26 17:25 . 2007-12-12 18:01 787 --------- c:\windows\hphmdl26.dat 2008-10-25 22:43 . 2008-10-25 22:43 <DIR> d-------- c:\documents and settings\Scott\Application Data\mioObjects 2008-10-25 16:49 . 2008-10-25 16:49 <DIR> d-------- c:\program files\3D Sports Car Screensaver 2008-10-25 16:49 . 2008-02-14 16:56 10,006,528 --a------ c:\windows\system32\3D Sports Car Screensaver.scr 2008-10-25 16:49 . 2008-02-14 13:16 3,141 --a------ c:\windows\system32\3D Sports Car Screensaver.html 2008-10-25 16:44 . 2008-10-25 16:44 <DIR> d-------- c:\program files\3D Asteroids 2008-10-25 16:41 . 2008-10-28 17:20 882 --a------ c:\windows\eReg.dat 2008-10-25 16:39 . 2008-10-27 18:52 <DIR> d-------- c:\program files\Maxis 2008-10-25 16:37 . 1999-11-24 20:29 196,608 --a------ c:\windows\system32\anfysave.scr 2008-10-25 16:31 . 2008-10-25 16:31 <DIR> d-------- c:\program files\Running Clock 3D Screensaver 2008-10-25 16:31 . 2008-10-25 16:31 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\TERMINAL Studio 2008-10-25 16:31 . 2008-02-14 19:36 3,661,824 --a------ c:\windows\system32\Running Clock 3D Screensaver.scr 2008-10-25 16:31 . 2005-09-21 15:08 499,712 --a------ c:\windows\system32\msvcp71.dll 2008-10-25 16:31 . 2005-09-21 15:08 348,160 --a------ c:\windows\system32\msvcr71.dll 2008-10-25 16:31 . 2006-02-15 17:26 92,216 --a------ c:\windows\system32\bass.dll 2008-10-25 16:31 . 2008-02-14 19:55 3,177 --a------ c:\windows\system32\Running Clock 3D Screensaver.html 2008-10-25 16:29 . 2008-10-25 16:36 <DIR> d-------- c:\program files\Cities of Earth 2008-10-25 16:29 . 2007-09-24 00:08 2,789,376 --a------ c:\windows\system32\Cities.scr 2008-10-25 16:26 . 2008-10-25 16:26 <DIR> d-------- c:\program files\Free Matrix Reality Screensaver 2008-10-25 16:26 . 2008-07-28 12:20 3,403,776 --a------ c:\windows\system32\Free Matrix Reality Screensaver.scr 2008-10-25 16:26 . 2005-09-05 07:01 1,056,768 --a------ c:\windows\system32\FreeImage.dll 2008-10-25 16:26 . 2005-12-21 18:05 245,760 --a------ c:\windows\system32\ImxEx.dll 2008-10-25 16:22 . 2008-10-25 16:22 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\mioObjects 2008-10-25 16:22 . 2008-10-25 16:22 359,431 --a------ c:\windows\system32\mioengine.exe 2008-10-25 16:20 . 2008-10-25 16:20 <DIR> d-------- c:\program files\Proactive Information Corporation 2008-10-25 16:20 . 2004-06-21 16:47 474,431 --a------ c:\windows\system32\Realtime Weather Screen Saver 4.02.scr 2008-10-25 16:20 . 2004-08-28 02:06 61,440 --a------ c:\windows\UnDeploy.exe 2008-10-25 15:32 . 2008-10-25 15:32 <DIR> d-------- c:\documents and settings\Scott\Application Data\Symantec 2008-10-25 15:32 . 2008-10-25 15:32 <DIR> d-------- c:\documents and settings\Scott\Application Data\Shareaza 2008-10-25 15:32 . 2008-11-15 20:33 <DIR> d-------- c:\documents and settings\Scott 2008-10-25 15:25 . 2008-10-25 15:25 <DIR> d-------- c:\documents and settings\Diana\Application Data\Symantec 2008-10-25 15:25 . 2008-10-25 15:25 <DIR> d-------- c:\documents and settings\Diana\Application Data\Shareaza 2008-10-25 15:24 . 2008-11-15 23:04 <DIR> d-------- c:\documents and settings\Diana 2008-10-25 15:18 . 2008-10-25 15:18 <DIR> d-------- c:\program files\Abassis Finance Manager 2008-10-25 15:14 . 2008-10-25 15:14 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Atari 2008-10-25 15:11 . 2008-10-25 15:11 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Leadertech 2008-10-25 15:08 . 2008-10-25 15:08 <DIR> d-------- c:\program files\Atari 2008-10-25 15:01 . 2008-10-25 15:01 74,582 --a------ c:\windows\Uninstal.exe 2008-10-25 14:59 . 2008-10-25 14:59 <DIR> d-------- c:\program files\Free 3D Valley Screensaver 2008-10-25 14:59 . 2008-10-25 14:59 <DIR> d-------- c:\program files\Active Volcano 3D Screensaver 2008-10-25 14:59 . 2008-07-28 10:10 8,073,216 --a------ c:\windows\system32\Free 3D Valley Screensaver.scr 2008-10-25 14:59 . 2008-02-14 17:02 6,008,832 --a------ c:\windows\system32\Active Volcano 3D Screensaver.scr 2008-10-25 14:59 . 2008-02-14 13:38 3,186 --a------ c:\windows\system32\Active Volcano 3D Screensaver.html 2008-10-25 14:58 . 2008-10-25 15:04 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\MechCAD 2008-10-25 14:58 . 2007-02-13 14:53 13,619,200 --a------ c:\windows\system32\Solar System 3D Screensaver.scr 2008-10-25 14:58 . 2007-02-09 13:05 3,226 --a------ c:\windows\system32\SolarSystem3DScreensaver.html 2008-10-25 14:56 . 2008-10-25 14:58 <DIR> d-------- c:\program files\Astro Gemini Software 2008-10-25 14:56 . 2008-10-25 14:56 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Astro Gemini Software 2008-10-25 14:56 . 2008-08-28 10:25 7,938,048 --a------ c:\windows\system32\Planet Earth 3D Screensaver.scr 2008-10-25 14:56 . 2007-11-06 16:46 106,496 --a------ c:\windows\system32\Astro Gemini Screensaver Manager.scr 2008-10-25 14:54 . 2004-10-06 18:38 3,446,272 --a------ c:\windows\Light Driver 2.stg 2008-10-25 14:54 . 2004-10-06 18:22 794,624 --a------ c:\windows\Light Driver 2.scr 2008-10-25 14:54 . 1999-06-25 10:55 149,504 --a------ c:\windows\UNWISE.EXE 2008-10-25 14:52 . 2007-11-23 13:18 9,005,490 --a------ c:\windows\kaleidoscopia.exe 2008-10-25 14:52 . 2008-10-25 14:52 639,995 --a------ c:\windows\unins000.exe 2008-10-25 14:52 . 2007-12-03 09:32 280,064 --a------ c:\windows\kaleidoscopia.scr 2008-10-25 14:52 . 2008-10-25 14:52 894 --a------ c:\windows\unins000.dat 2008-10-24 18:59 . 2008-11-08 11:40 <DIR> d-------- c:\program files\AdvancedDVDPlayer 2008-10-24 17:53 . 2008-10-24 18:01 <DIR> d-------- c:\program files\Shareaza 2008-10-24 17:53 . 2008-10-24 17:53 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Shareaza 2008-10-24 17:44 . 2008-04-14 01:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys 2008-10-24 17:44 . 2008-04-14 01:09 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys 2008-10-24 17:44 . 2001-08-17 14:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys 2008-10-24 17:44 . 2001-08-17 14:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys 2008-10-24 17:43 . 2008-10-24 17:43 <DIR> d-------- c:\program files\PHILIPS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-26 20:18 --------- d-----w c:\program files\Common Files\InstallShield 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-23 19:37 --------- d-----w c:\program files\Common Files\Adobe 2008-10-23 09:00 315,392 ----a-w c:\windows\HideWin.exe 2008-10-23 08:59 --------- d-----w c:\program files\Intel 2008-10-23 08:55 --------- d-----w c:\documents and settings\Richard Fedie\Application Data\InterTrust 2008-10-23 08:54 --------- d-----w c:\program files\MSXML 4.0 2008-10-23 08:44 --------- d-----w c:\program files\microsoft frontpage 2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe 2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll 2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll 2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll 2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll 2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll 2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll 2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll 2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll 2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll 2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll 2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll 2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll 2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll 2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll 2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll 2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll 2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe 2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll 2007-10-15 16:30 148,242 ----a-w c:\program files\Common Files\ReportPreview.app . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-02-24 196709] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-24 13524992] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-24 86016] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-30 136600] "ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe" [2006-11-02 156160] "RTHDCPL"="RTHDCPL.EXE" [2008-03-02 c:\windows\RTHDCPL.exe] "nwiz"="nwiz.exe" [2008-03-24 c:\windows\system32\nwiz.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\10f6fd16502] 2008-11-15 20:28 135168 c:\windows\system32\extmgr32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\extmgr32.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-24 149352] S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888] S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys [2008-10-24 7548] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc *Newly Created Service* - COMHOST *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-11-16 c:\windows\Tasks\ErrorSmart Scheduled Scan.job - c:\program files\ErrorSmart\ErrorSmart.exe [] 2008-11-16 c:\windows\Tasks\ErrorSmart Scheduled Scan.job - c:\program files\ErrorSmart [] 2008-11-11 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Richard Fedie.job - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 19:19] . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-16 13:12:57 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: c:\windows\system32\winlogon.exe -> c:\windows\System32\extmgr32.dll PROCESS: c:\windows\system32\lsass.exe -> c:\windows\System32\extmgr32.dll . Completion time: 2008-11-16 13:13:19 ComboFix-quarantined-files.txt 2008-11-16 19:13:17 Pre-Run: 474,280,161,280 bytes free Post-Run: 474,458,370,048 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 262 --- E O F --- 2008-11-15 21:09:14 |
| ||
| Re: extmgr32.dll problem Just out of sheer desperation I ran ESET again and it found like 26 things. Log posted below. # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3615 (20081115) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=7a07914fc4e7e54e917e47c9f1ba585b # end=finished # remove_checked=true # unwanted_checked=true # utc_time=2008-11-16 08:01:44 # local_time=2008-11-16 02:01:44 (-0600, Central Standard Time) # country="United States" # osver=5.1.2600 NT Service Pack 3 # scanned=224580 # found=26 # scan_time=1372 C:\WINDOWS\system32\extmgr32.dll Win32/Agent.OAF trojan (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\1.crack.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\1.crack.zip »ZIP »crack.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\10.serial.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\10.serial.zip »ZIP »serial.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\11.setup.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\11.setup.zip »ZIP »setup.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\12.unpack.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\12.unpack.zip »ZIP »unpack.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\13.music.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) AB4352EC7CBEA96323E6530025CEB4DA C:\WINDOWS\system32\GroupPolicyManifest\2.free_access_to_150_adult_sites.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\2.free_access_to_150_adult_sites.zip »ZIP »free access to 150 adult sites.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\3.free_adult_videos.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\3.free_adult_videos.zip »ZIP »free adult videos.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\4.free_porn_passwords.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\4.free_porn_passwords.zip »ZIP »free porn passwords.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\5.installer.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\5.installer.zip »ZIP »installer.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\6.keygen.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\6.keygen.zip »ZIP »keygen.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\7.nocd.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\7.nocd.zip »ZIP »nocd.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\8.nodvd.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\8.nodvd.zip »ZIP »nodvd.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\9.patch.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000 C:\WINDOWS\system32\GroupPolicyManifest\9.patch.zip »ZIP »patch.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 |
| ||
| Re: extmgr32.dll problem I hope you followed the instructions with ESET scanner and Rebooted your computer, because final cleaning would not take place until a reboot. I say this because you didn't follow the directions for combofix. The instructions clearly state this; Quote:
Quote:
You will need to go into c:\documents and settings\Richard Fedie\My Documents\antivirus\ and delete that combofix. ESET scanner may have removed some of the items we needed to remove so maybe combofix will not be needed, we will see. Run me a new HJT scan please. Judy |
| ||
| Re: extmgr32.dll problem Here is the new HJT log. Sorry that I didn't put it on my desktop. I read something on here in the forums about putting stuff on the desktop and said it was for ease of accessing the files. I downloaded another copy of combofix to my desktop and deleted the other, would you want me to run it again? After I ran the ESET scan I did reboot. Thanks for all the help. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:56:55 PM, on 11/16/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Documents and Settings\Richard Fedie\My Documents\antivirus\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSC...ws-i586-jc.cab O20 - AppInit_DLLs: C:\WINDOWS\System32\extmgr32.dll O20 - Winlogon Notify: 10f6fd16502 - C:\WINDOWS\System32\extmgr32.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 6587 bytes |
| ||
| Re: extmgr32.dll problem One thing I will say without question, each and every one of the infected .zip files, infected with Win32/TrojanDropper.Delf.NFH trojan listed in the ESET log are the result of P2P file sharing. I checked every one of them so that is how the computer has become infected, P2P file sharing. This is why I asked you in post #3 to fix that one Shareaza entry. Looking at your combofix log I see that program was installed on 10-24-2008. After that date I see multiple games and other paid programs installed, how many of these were acquired using P2P file sharing? Frankly I would find any program downloaded via P2P as suspect, expecially any installed after that date. The ones we know for sure are infected files were installed on 11-15-2008, that honestly at this point doesn't mean there aren't others that haven't been found yet. Yes, I want you to run combofix again. Follow THESE instructions EXACTLY: At this point you should do the following: * Close all open Windows including this one. * Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete. Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue. ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry. Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient. While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. When ComboFix has finished running, you will see a screen stating that it is preparing the log report This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically You should now post this log here when all is complete. |
| All times are GMT -4. The time now is 4:02 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC