Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Antivirus Xp 2008


  • Please log in to reply
9 replies to this topic

#1 MAGRITTE

MAGRITTE

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 15 September 2008 - 05:20 PM

I have run ad-aware and spybot until all files infected files seem gone. My display tabs have returned and the fake virus message is now gone. However when I run my Trend software it still shows 8 files repeatedly no matter how many times I run it and delete the infected files. I have been sure to keep system restore turned off until after the deleted command is given.

I am not able to use Internet Explorer at all ans sometimes if I try it freezes the computer. Previously I could but was denied certain sites. I can use Firefox but am denied access to helpful sites such as Microsoft,Trend , Bleeping Computer although I can sometimes go thru secondary sites. And i am now being stopped from emailing my HIJACk logs from my laptop to my PC so I can send them to you. I have to print it and scan it. It seems as if this thing gets smarter and smarter!
SORRY i POSTED INCORRECTLY 1ST TIME 169139 infected with antivirus xp 2008 Please help

HERE ARE MY LOGS

TREND VIRUS
"Virus Scan Logs" "Sep 15, 2008" ""
"Time" "Detected by" "Source Type" "Threat Name" "Infected File" "First Action" "Second Action"
"13:35" "Manual Scan" "File" "RTKT_STITCH.E" "C:\WINDOWS\SYSTEM32\tdssadw.dll" "Quarantined Success" ""
"13:35" "Manual Scan" "File" "TROJ_FAKEAVAL.AE" "C:\WINDOWS\SYSTEM32\tdsslog.dll" "Quarantined Success" ""
"13:35" "Manual Scan" "File" "TROJ_FAKEAVAL.AI" "C:\WINDOWS\SYSTEM32\tdssmain.dll" "Quarantined Success" ""
"13:35" "Manual Scan" "File" "RTKT_STITCH.D" "C:\WINDOWS\SYSTEM32\tdssserf.dll" "Quarantined Success" ""

TREND TROJAN
"Trojan Horse Program Cleanup" "Sep 15, 2008" ""
"Time" "Threat Name:" "Result:"
"13:36" "TSC_GENCLEAN" "Clean" ""
"13:36" "TSC_GENCLEAN" "Clean" ""
"13:36" "TSC_GENCLEAN" "Clean" ""
"13:36" "TSC_GENCLEAN" "Clean" ""

HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:06 AM, on 9/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1105327769\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105327769\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\RunOnce: [TSC] "C:\Program Files\Trend Micro\Internet Security\tsc.exe" /HD
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [EPSON Stylus Photo R380 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE /FU "C:\WINDOWS\TEMP\E_SA6.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [c:_program files_wordperfe3a] C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe /Watch /r="SOFTWARE\Corel\WordPerfect Suite\12"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/...ns.10.6.0.6.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} (AOL Newport Editor Ctrl) - http://o.aolcdn.com/pictures/ap/Resources/...ns.10.6.0.6.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {BE71A78B-77DB-451C-A761-59B37022D544} (AOL Newport Downloader Ctrl) - http://pictures.aol.com/ap/Resources/2.0.6...ns.10.6.0.4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11492 bytes

BC AdBot (Login to Remove)

 


m

#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 17 September 2008 - 04:01 PM

Hi

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 MAGRITTE

MAGRITTE
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 17 September 2008 - 07:03 PM

Hi,
I cannot access either besttechie or majorgeeks as instructed . The infected laptop either states "connection interrupted" or "redirected/jump" to weird websites having nothing to do with the links. I am using firefox. Internet Explorer won't even start.

Is it possible to restore the laptop to the day prior to the virus and then attempt a fix??


Also I have one message that appears at every start. Not sure if it has anything to do with the problems:
CorUpd.exe-application error
The application failed to initialize properly(0xc0000022). Click on OK to terminate the application.


Thanks

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 18 September 2008 - 03:22 PM

Hi

Is it possible to restore the laptop to the day prior to the virus and then attempt a fix??


It may come to that, but if we can get those 2 programs run, it will make it a lot easier to remove leftovers & get things back to normal ...

Can you download Malwarebytes_Anti-Malware from here :- http://www.download.com/Malwarebytes-Anti-...4-10804572.html

If you can't then go ahead and download & run Combofix (if you can)

Also I have one message that appears at every start. Not sure if it has anything to do with the problems:
CorUpd.exe-application error
The application failed to initialize properly(0xc0000022). Click on OK to terminate the application.


probably a side effect of your main problem ...

corupd.exe is a Corel Product Update Utility from Corel Corporation belonging to CorelDRAW.

for some reason it's not able to check for updates ... no biggie, don't worry about that one for now, once the main problem is resolved, you can always reinstall CorelDRAW if you have to.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 MAGRITTE

MAGRITTE
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 18 September 2008 - 09:25 PM

Hi Steam,

I was able to run the Malwarebytes and have attached the log below. However I have a question about running combofix. Should I run it with my system restore on or off??? I have been running all the previous virus programs with it off because I have windows xp which from what I had researched said to turn it off. Please advise.
Thank you again.

Malwarebytes' Anti-Malware 1.28
Database version: 1171
Windows 5.1.2600 Service Pack 3

9/18/2008 9:32:57 PM
mbam-log-2008-09-18 (21-32-57).txt

Scan type: Quick Scan
Objects scanned: 47086
Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 11
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\mare salerno\Application Data\rhc1bmj0e9a3 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mare salerno\Application Data\rhc1bmj0e9a3\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mare salerno\Application Data\rhc1bmj0e9a3\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mare salerno\Application Data\rhc1bmj0e9a3\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mare salerno\Application Data\rhc1bmj0e9a3\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mare salerno\Application Data\rhc1bmj0e9a3\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mare salerno\Application Data\rhc1bmj0e9a3\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mare salerno\Application Data\rhc1bmj0e9a3\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mare salerno\Application Data\rhc1bmj0e9a3\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mare salerno\Application Data\rhc1bmj0e9a3\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mare salerno\Application Data\rhc1bmj0e9a3\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\DRIVERS\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 19 September 2008 - 05:42 PM

Hi

You should NEVER turn system restore OFF ... this is a misconception by a lot of people on the net, If you have a problem with malware, & removing that malware goes drastically wrong (malware integrates itself deeper and deeper into the operating system nowadays) then being able to perform a system restore & start the removal again is your SAFETY NET. An INFECTED restore point is better than NO restore point. Once you turn system restore OFF you LOSE ALL restore points. Just because you may have an infected restore point, it's not going to infect your computer unless you perform a system restore ... WE will purge your system restore points once we know you have clean computer.

Turn system restore ON again now & leave it ON...

Did you allow MBAM to reboot your computer so that it could remove the rootkit files ... tdss.. ?

Please go ahead & run Combofix now :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 MAGRITTE

MAGRITTE
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 19 September 2008 - 10:10 PM

Thanks for the system restore advise! This is what Trend has instructed windows xp users to do and that is why I do it.

Additional Windows ME and XP Cleaning Instructions

Windows Millennium Edition (ME) and Windows XP have a feature known as System Restore, which creates backups of certain files in the _Restore folder. The System Restore feature usually backs up files with EXE or COM extensions, which may include infected files and malware programs. Files in the _Restore folder are protected and can only be accessed using System Restore. This feature must be disabled first before Trend Micro antivirus can access and clean these files.

WHEN THIS IS RESOLVED PERHAPS YOU WILL GIVE ME SOME RECOMMENDATIONS FOR SECURITY SOFTWARES.




YES I did allowed the reboot of the MBAM and I must say everything seems to be running great.

I will do the combofix as instructed but have another question regarding the microsoft instructions. I'm a little confused on these microsoft instructions for people who don't have the discs. Is it Ok for me to COPY TO MY COMPUTER FOR INSTALLATION AT A LATER TIME?
I do not have the windows xp set up discs but Dell is sending them to me. Should I wait until I get them OR IS IT ok TO SAVE TO MY COMPUTER?



1. Click the Download button on this page to start the download, or choose a different language from the drop-down list and click Go.
2. Do one of the following:
* To start the installation immediately, click Open or Run this program from its current location.
o NOTE: The installation program will prompt you to provide formatted, 1.44MB floppy disks onto which the installation program will copy its files.
* To copy the download to your computer for installation at a later time, click Save and choose a location on your hard disk for saving the file.


The combofix seems a bit scary for a novice so I just want to be sure I am not screwing up.
Thank you for your patience.

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 20 September 2008 - 03:32 PM

HI

That statement by Trend is similar to a lot you will see posted about the net, It's true in so much as System Restore will back up infected files ... but the rest of it is total bullbleep.

Files in the _Restore folder are protected and can only be accessed using System Restore. This feature must be disabled first before Trend Micro antivirus can access and clean these files.


Once you turn off system restore, all restore points are deleted, so there are NO files for Trend Micro antivirus to access and clean.

My view of NOT turning OFF system restore is one shared by the majority of security experts... but it's up to you to decide which advice to follow :thumbsup:

RE: Combofix & the Recovery Console ...

Referring to this link :- http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Basically ...

1. Download the Combofix.exe file to your DESKTOP

2. You have Windows XP SP3, but you Don't have an XP disk ... so in the link above, scroll down till you see this bold line :- If you use Windows XP and do not have the Windows CD

3. It tells you to go here :- http://support.microsoft.com/kb/310994 < so click this link

scroll down to this section...

Windows XP Service Pack 2 (SP2)
For information about the Setup boot disk versions that are available for download, visit the following Microsoft Web sites:

Windows XP Home Edition SP2
http://www.microsoft.com/downloads/details...;displaylang=en

Windows XP Professional SP2
http://www.microsoft.com/downloads/details...;displaylang=en

For SP3 use SP2 ... download the file for your version of windows (Professional or Home Edition)

once you click your version link above, you will see the download for either ...

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe < Professional Edition

or

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe < Home Edition

So if you have XP Home Edition, down load the WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

Download this file to your desktop as well

Then with your mouse, pick up the WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe file & drag & drop the file on to the Combofix.exe file ...

Combofix will then install the Recovery Console for you :)

Just follow the on-screen instructions & continue to run Combofix

Hope this makes it clearer for you :)

Cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 MAGRITTE

MAGRITTE
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 28 September 2008 - 06:32 PM

Hi Steam,
thanks for making the combofix instructions clearer and less intimidating!
Here is the log. One thing I'm having a problem with is connecting to the internet with the laptop that had the problem via wireless.

ComboFix 08-09-26.01 - mare salerno 2008-09-26 22:31:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.148 [GMT -4:00]
Running from: C:\Documents and Settings\mare salerno\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mare salerno\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\mare salerno\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSREST.SYS
-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((((( Files Created from 2008-08-27 to 2008-09-27 )))))))))))))))))))))))))))))))
.

2008-09-18 21:23 . 2008-09-18 21:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-18 21:23 . 2008-09-18 21:23 <DIR> d-------- C:\Documents and Settings\mare salerno\Application Data\Malwarebytes
2008-09-18 21:23 . 2008-09-18 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-18 21:23 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-18 21:23 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-14 12:44 . 2008-09-14 12:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-14 12:44 . 2008-09-14 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-14 12:43 . 2008-09-14 12:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-06 16:52 . 2004-07-14 11:15 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-09-06 16:52 . 2004-07-14 11:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-09-06 16:52 . 2004-07-14 11:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-09-06 16:52 . 2008-09-06 16:52 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-06 13:57 . 2008-09-06 16:02 10,752 --a------ C:\WINDOWS\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-27 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-19 16:37 77,824 ----a-w C:\WINDOWS\SYSTEM32\kdfapi.dll
2008-09-19 16:37 726,568 ----a-w C:\WINDOWS\SYSTEM32\kdfmgr.exe
2008-09-19 16:37 53,248 ----a-w C:\WINDOWS\SYSTEM32\Kdfhok.dll
2008-09-19 16:37 192,512 ----a-w C:\WINDOWS\SYSTEM32\kdfvmgr.exe
2008-09-18 00:56 --------- d-----w C:\Program Files\Common Files\aolback
2008-09-18 00:46 --------- d-----w C:\Program Files\America Online 9.0a
2008-09-18 00:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-09-15 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-14 23:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-29 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 01:50 --------- d-----w C:\Program Files\My Photo Calendars and Cards
2008-08-01 16:54 --------- d-----w C:\Program Files\Java
2008-07-28 21:00 --------- d-----w C:\Program Files\Google
2008-07-22 03:52 20 -c-h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
2008-07-22 03:49 20 -c-h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2006-07-21 23:45 848 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-05 68856]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"EPSON Stylus Photo R380 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE" [2006-05-29 139264]
"c:_program files_wordperfe3a"="C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe" [2004-01-07 139264]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-18 488712]
"TrendSecure Remote File Lock"="C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe" [2008-02-15 423248]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"HostManager"="C:\Program Files\Common Files\AOL\1105327769\ee\AOLSoftware.exe" [2006-09-25 50736]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [2004-05-12 249856]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 155648]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"TSC"="C:\Program Files\Trend Micro\Internet Security\tsc.exe" [2008-07-02 353544]

C:\Documents and Settings\mare salerno\Start Menu\Programs\Startup\
Nikon Monitor.lnk.disabled [2008-03-25 1815]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-05 124912]
HP Digital Imaging Monitor.lnk.disabled [2008-01-12 1808]
Utility Tray.lnk - C:\WINDOWS\SYSTEM32\sistray.exe [2004-07-14 335872]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2008-06-17 36864]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1105327769\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\1105327769\\EE\\aolsoftware.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2003-11-13 455680]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 17142]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2004-09-24 173056]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-lphc5bmj0e9a3 - C:\WINDOWS\system32\lphc5bmj0e9a3.exe
MSConfigStartUp-SMrhc1bmj0e9a3 - C:\Program Files\rhc1bmj0e9a3\rhc1bmj0e9a3.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\mare salerno\Application Data\Mozilla\Firefox\Profiles\1sebrdzu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig?hl=en&source=iglk
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.940.34809\npCIDetect11.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npcpbrk7.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-26 22:44:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
.
**************************************************************************
.
Completion time: 2008-09-26 23:03:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-27 03:03:14

Pre-Run: 17,479,016,448 bytes free
Post-Run: 17,381,326,848 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

201 --- E O F --- 2008-09-13 23:33:31

Thank you

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 29 September 2008 - 03:16 PM

Hi

Is the computer running OK now apart from the wireless connection ?

There are so many thing that could cause a problem with a wireless connection ... Have a look at these links & see if any help you ?

http://www.google.com/search?sourceid=navc...ireless+network

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users