Tech Support Forum banner
Not open for further replies.
1 - 3 of 3 Posts

· Registered
1 Posts
Discussion Starter · #1 · (Edited)
Hi! I recently had a virus on my PC - I beleive it's called "Defragmenter". It caused error messages to pop us from my status bar, and fake MS warnings would open frequently prompting me to purchase something. I attempted to remove the virus myself using Malwarebytes (found the solution on As my expertise is limited I also had a friend complete another scan & removal using spybot SD. At present, the pop ups are gone and my PC seems to be back to normal, with one HUGE exception. My browser crashes and closes automatically everytime I use it. Sometimes it takes a minute or two, other times I'm able to browse for five minutes, but it will inevitably crash everytime. I have IE, firefox, and google chrome - the same problem occurs regardless of the browser I use. I'm assuming this is a remnant of the virus as this has never happened to me before. Any help or suggestions would be greatly welcomed and appreciated. Many thanks!

System: MS Windows XP Professional
Version 2002
Service Pack 3

DDS pasted below, Attach.txt and Ark.txt attached.....

PS I wasn't able to compress my logs in anything other than Winwar so I have posted them as regular files - I hope that's ok, sorry if it's a problem.

DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 18:55:04.71 on 10/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.511.28 [GMT -4:00]
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {D351B063-D519-4278-9704-D38FF72EA486}
AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
FW: Trend Micro Personal Firewall *Disabled*
============== Running Processes ===============
C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\OfficeScan NT\CNTAoSMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://
uSearch Page = hxxp://
uSearch Bar = hxxp://
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://
uSearchURL,(Default) = hxxp://
mSearchAssistant = hxxp://
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [EPSON NX420 Series] "c:\windows\system32\spool\drivers\w32x86\3\e_fatigca.exe" /fu "c:\windows\temp\E_SF6.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
mRun: [OfficeScanNT Monitor] "c:\officescan nt\pccntmon.exe" -HideWindow
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
mRun: [MSConfig] "c:\windows\pchealth\helpctr\binaries\MSConfig.exe" /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\epsona~1.lnk - r:\common\epsonreg\EpsonReg.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://
DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - hxxps://
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://
DPF: {909A35CA-61DC-4437-887E-30ED6D89F6C8} - hxxp://
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://
DPF: {D4C9E474-9A6C-4FBF-B13A-4BE2BDD34FD5} - hxxp://
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
Hosts: nt_server mailserver
Hosts: nova
Hosts: main
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\agfwp8bm.default\
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
============= SERVICES / DRIVERS ===============
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKslc532741c;MpKslc532741c;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7ed2547e-149b-413b-9ca9-c852ba81ee1d}\MpKslc532741c.sys [2011-4-10 28752]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-12-28 47640]
R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [2011-4-3 45072]
R2 TmFilter;Trend Micro Filter;c:\officescan nt\tmxpflt.sys [2004-3-30 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\officescan nt\tmpreflt.sys [2004-3-30 36368]
R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\microsoft forefront uag\endpoint components\3.1.0\uagqecsvc.exe [2010-12-20 150928]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [2011-4-3 3899008]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\security\current\framework\WRConsumerService.exe [2011-4-3 3251928]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2004-6-15 315408]
S1 MpKsl7b1f1118;MpKsl7b1f1118;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5cb323c2-efbd-4ad0-bfe5-b42a9867cdcf}\mpksl7b1f1118.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5cb323c2-efbd-4ad0-bfe5-b42a9867cdcf}\MpKsl7b1f1118.sys [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 AC2003;AC2003;c:\windows\system32\drivers\AC2003.sys [2005-6-27 4224]
S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\windows\downlo~1\DMService.exe [2010-12-20 468368]
S3 TmPfw;OfficeScanNT Personal Firewall;c:\officescan nt\TmPfw.exe [2008-3-25 939344]
S3 TmProxy;OfficeScan NT Proxy Service;c:\officescan nt\TmProxy.exe [2008-3-25 558416]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-6 135664]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
=============== Created Last 30 ================
2011-04-10 18:26:09 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{7ed2547e-149b-413b-9ca9-c852ba81ee1d}\MpKslc532741c.sys
2011-04-10 18:22:47 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{7ed2547e-149b-413b-9ca9-c852ba81ee1d}\mpengine.dll
2011-04-05 22:04:58 -------- d-----w- c:\program files\common files\Symantec Shared
2011-04-05 22:04:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-04-05 22:03:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2011-04-05 01:59:13 -------- d-----w- c:\windows\system32\Adobe
2011-04-03 20:07:31 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-04-03 20:07:31 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-04-03 20:07:31 182056 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-04-03 20:02:49 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{3140EA8C-7399-4EC4-819C-16996F38FCFC}
2011-04-03 20:01:59 -------- d-----w- c:\program files\Webroot
2011-04-03 20:01:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2011-04-03 20:01:05 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\PackageAware
2011-03-30 02:11:01 -------- d-----w- c:\program files\Microsoft CAPICOM
2011-03-28 22:02:18 215920 ----a-w- c:\windows\system32\muweb.dll
2011-03-28 22:02:18 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-03-28 22:02:17 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-03-27 14:38:54 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-03-27 14:36:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-27 14:30:05 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-26 22:54:44 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-03-26 22:54:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 22:54:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-26 22:54:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
==================== Find3M ====================
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
============= FINISH: 19:17:34.68 ===============


· Registered
2,656 Posts
Hello, Welcome to TSF.
I'm nasdaq and will be helping you.

Click start> run> type services.msc hit the enter key. Kill this service/process in bold.


Restart the computer in safe mode.

  • Restart your computer in Safe Mode, start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you see the Boot Menu.
  • When the Windows Advanced Options menu appears, select an option, and then press ENTER.
  • When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

Delete all the files in this \Temp folder, not the folder.

Restart the computer normally.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do not mouse click ComboFix's window while it's running. That may cause it to stall

For AVG antivirus and anti-spyware security software users only.
Due to recent changes in AVG and how it interacts with CF, AVG must be uninstalled to run ComboFix. You will get a message from CF stating such.

If AVG will not uninstall, it is first recommended to uninstall it with this AppRemover by Opswat. The AVG uninstaller can be downloaded from here > AppRemover.exe Go to their homepage and you will see they have support for removal of other AV's as well AVG appremover tool.
Please post the log and let me know what problem persists.
1 - 3 of 3 Posts
Not open for further replies.