Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

very problematic computer


  • Please log in to reply
13 replies to this topic

#1 monsterbob

monsterbob

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:Albay, Philippines
  • Local time:12:07 AM

Posted 08 January 2009 - 09:11 PM

It 's so slow. I tried to installing avira anti virus but after clicking run it just disappear from the screen. I also tried installing malwarebytes, same thing happened. I then try to run DDs but " cmd is not valid win32 application" appears. A "task manager is disabled" message also appears.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:07 PM

Posted 09 January 2009 - 09:16 PM

Please try renaming the Malwarebytes (MBAM) file to red.com Try rerunning it.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 monsterbob

monsterbob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:Albay, Philippines
  • Local time:12:07 AM

Posted 12 January 2009 - 11:01 AM

thanx sir. i will try it first thing in the morning.

#4 monsterbob

monsterbob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:Albay, Philippines
  • Local time:12:07 AM

Posted 13 January 2009 - 02:26 AM

hello! good day!

I already renamed the malwarebytes to red.com and re run it. Same thing happens. I only got as far as clicking on " I agree" then it disappear towards the START button. I even tried running it in safe mode, same thing happened.

#5 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:07 PM

Posted 13 January 2009 - 08:09 AM

What version of Windows are you running?

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 monsterbob

monsterbob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:Albay, Philippines
  • Local time:12:07 AM

Posted 14 January 2009 - 11:01 PM

We're using Windows XP ver 2002 with Service pack 2 on IBm Intel Pentium 4 2.80 GHz with 248Mb of RAM.

I already enabled the the REGEDIT by using Doug Knox Registry Tools VBScript. Here's the link:

Doug Knox Registry Tools VBScript

I then tried again installing the Malwarebytes' and here's the latest message that appear:

"C:\Program Files\Malwarebytes' Anti-malware\ssubtmr6.dll"
"Unable to register the DLL/OCX: RegSur32 failed with exit code OX3"
"Click Retry to try again, Ignore to proceed anyway(not recommended) or Abort to cancel installation"

I aborted the installation. I will try to enable the Task Manager later. Other than that, What should I do next?
Thanx!

#7 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:07 PM

Posted 15 January 2009 - 11:42 AM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 monsterbob

monsterbob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:Albay, Philippines
  • Local time:12:07 AM

Posted 17 January 2009 - 08:15 AM

To Moderators and rigel:

Please don't close this thread yet. I already downloaded the SDFix and its instruction but I can't run it yet. The problematic computer is in the office adjacent to ours. It is Saturday here in our place, so it is close. Maybe I can post the Report.txt 3 days from now. Thanx for your help! :thumbsup: :flowers:

#9 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:07 PM

Posted 17 January 2009 - 10:30 AM

No problem - take your time :thumbsup:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 monsterbob

monsterbob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:Albay, Philippines
  • Local time:12:07 AM

Posted 21 January 2009 - 03:18 AM

Just finished running SDFix, and here's the report.txt


SDFix: Version 1.240
Run by Administrator on Wed 01/21/2009 at 03:48 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
tdssserv
tdssserv

Path :
\systemroot\system32\drivers\tdssserv.sys

tdssserv - Deleted
tdssserv - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\tdssl.dll - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-21 15:59:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060aa95d2]
"001698a02a40"=hex:59,0d,55,98,18,da,39,d2,12,ef,cc,8b,75,5d,2c,4e
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\001060aa95d2]
"001698a02a40"=hex:59,0d,55,98,18,da,39,d2,12,ef,cc,8b,75,5d,2c,4e
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\tdssserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\tdssserv.sys"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%ProgramFiles%\\IBM\\Updater\\ucsmb.exe"="%ProgramFiles%\\IBM\\Updater\\ucsmb.exe:*:enabled:IBM Update Connector"
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe"="%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe:*:enabled:IBM Update Connector"
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe"="%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe:*:enabled:IBM Update Connector"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Disabled:Yahoo! Messenger"
"C:\\Program Files\\PopCap Games\\BookWorm Deluxe\\BookWorm.exe"="C:\\Program Files\\PopCap Games\\BookWorm Deluxe\\BookWorm.exe:*:Enabled:BookWorm"
"C:\\Documents and Settings\\ThinkCentre1\\My Documents\\BookWorm Deluxe\\BookWorm.exe"="C:\\Documents and Settings\\ThinkCentre1\\My Documents\\BookWorm Deluxe\\BookWorm.exe:*:Enabled:BookWorm"
"C:\\Program Files\\GameHouse\\Wheel of Fortune\\Wheel of Fortune.exe"="C:\\Program Files\\GameHouse\\Wheel of Fortune\\Wheel of Fortune.exe:*:Enabled:Wheel of Fortune"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%ProgramFiles%\\IBM\\Updater\\ucsmb.exe"="%ProgramFiles%\\IBM\\Updater\\ucsmb.exe:*:enabled:IBM Update Connector"
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe"="%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe:*:enabled:IBM Update Connector"
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe"="%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe:*:enabled:IBM Update Connector"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 17 May 2007 250,975 A.SHR --- "C:\SCVHOST.exe"
Wed 21 Jan 2009 43,072 ..SHR --- "C:\WINDOWS\j6299822.exe"
Mon 19 Mar 2007 564,938 ..SHR --- "C:\WINDOWS\krag.exe"
Wed 21 Jan 2009 43,072 ..SHR --- "C:\WINDOWS\o4299827.exe"
Wed 21 Jan 2009 43,072 ..SHR --- "C:\WINDOWS\_default29982.pif"
Tue 5 Apr 2005 25,088 A..H. --- "C:\backup\FORTUNE MEDICARE\My Documents\~WRL0824.tmp"
Tue 5 Apr 2005 19,456 A..H. --- "C:\backup\FORTUNE MEDICARE\My Documents\~WRL0869.tmp"
Tue 5 Apr 2005 27,136 A..H. --- "C:\backup\FORTUNE MEDICARE\My Documents\~WRL1402.tmp"
Tue 5 Apr 2005 22,528 A..H. --- "C:\backup\FORTUNE MEDICARE\My Documents\~WRL2985.tmp"
Thu 17 May 2007 250,975 A.SHR --- "C:\Documents and Settings\All Users\Documents\SCVHOST.exe"
Tue 24 Jul 2007 43,072 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRM.exe"
Sat 11 Dec 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 11 Dec 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak"
Mon 21 Mar 2005 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak"
Tue 27 May 2008 31,744 ...H. --- "C:\Documents and Settings\ThinkCentre1\My Documents\~WRL0663.tmp"
Fri 9 Jan 2009 20,992 ...H. --- "C:\Documents and Settings\ThinkCentre1\My Documents\~WRL1359.tmp"
Tue 27 May 2008 25,088 ...H. --- "C:\Documents and Settings\ThinkCentre1\My Documents\~WRL2863.tmp"
Tue 27 May 2008 25,088 ...H. --- "C:\Documents and Settings\ThinkCentre1\My Documents\~WRL3059.tmp"
Tue 27 May 2008 24,576 ...H. --- "C:\Documents and Settings\ThinkCentre1\My Documents\~WRL3193.tmp"
Tue 27 May 2008 31,232 ...H. --- "C:\Documents and Settings\ThinkCentre1\My Documents\~WRL3351.tmp"
Sat 11 Dec 2004 4,348 ...H. --- "C:\RECYCLER\S-1-5-21-3715496334-2881904242-2359023029-1005\Dc970\drmv1key.bak"
Mon 10 Nov 2008 782 A..H. --- "C:\RECYCLER\S-1-5-21-3715496334-2881904242-2359023029-1005\Dc970\drmv1lic.bak"
Sat 11 Dec 2004 312 A.SH. --- "C:\RECYCLER\S-1-5-21-3715496334-2881904242-2359023029-1005\Dc970\drmv2key.bak"
Tue 11 Sep 2007 43,072 A..H. --- "C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP740\A2000347.exe"
Tue 21 Aug 2007 43,072 A..H. --- "C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP740\A2000442.exe"
Thu 22 May 2008 43,072 A..H. --- "C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP740\A2000508.exe"
Mon 15 Jan 2001 43,072 A..H. --- "C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP740\A2000571.exe"
Wed 18 Jul 2007 43,072 A..H. --- "C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP740\A2000966.exe"
Sat 2 Dec 2006 106,496 A.SHR --- "C:\WINDOWS\system\_sv_CMD_\_U_.exe"
Fri 24 Aug 2007 43,072 ..SHR --- "C:\WINDOWS\system32\n2847\smss.exe"
Fri 24 Aug 2007 43,072 ..SHR --- "C:\WINDOWS\system32\n2847\sv71333030r.exe"
Wed 24 Dec 2008 43,072 ..SHR --- "C:\WINDOWS\system32\n7467\smss.exe"
Wed 24 Dec 2008 43,072 ..SHR --- "C:\WINDOWS\system32\n7467\sv711719030r.exe"
Wed 21 Jan 2009 43,072 ..SHR --- "C:\WINDOWS\system32\n8061\smss.exe"
Wed 21 Jan 2009 43,072 ..SHR --- "C:\WINDOWS\system32\n8061\sv711897230r.exe"
Tue 20 Jan 2009 43,072 ..SHR --- "C:\WINDOWS\system32\n8127\smss.exe"
Tue 20 Jan 2009 43,072 ..SHR --- "C:\WINDOWS\system32\n8127\sv711917030r.exe"
Thu 15 Jan 2009 43,072 ..SHR --- "C:\WINDOWS\system32\s10899\smss.exe"
Thu 15 Jan 2009 43,072 ..SHR --- "C:\WINDOWS\system32\s10899\zh592748684y.exe"
Thu 4 Jan 2001 43,072 ..SHR --- "C:\WINDOWS\system32\s6081\smss.exe"
Thu 4 Jan 2001 43,072 ..SHR --- "C:\WINDOWS\system32\s6081\zh591303284y.exe"
Wed 21 Jan 2009 43,072 ..SHR --- "C:\WINDOWS\system32\s8787\smss.exe"
Sat 23 Jun 2007 89,600 A.SHR --- "C:\WINDOWS\Temp\_ISTMPI.DIR\mmc32.exe"
Sun 20 Jun 2004 22,528 A..H. --- "C:\backup\FORTUNE MEDICARE\My Documents\labayen\~WRL0704.tmp"
Fri 18 Jun 2004 22,528 A..H. --- "C:\backup\FORTUNE MEDICARE\My Documents\labayen\~WRL2225.tmp"
Tue 20 Jan 2004 20,992 A..H. --- "C:\backup\FORTUNE MEDICARE\My Documents\labayen\~WRL2970.tmp"
Wed 24 Dec 2008 43,072 ..SHR --- "C:\Documents and Settings\Guest\Local Settings\Application Data\smss.exe"
Wed 24 Dec 2008 43,072 ..SHR --- "C:\Documents and Settings\Guest\Local Settings\Application Data\zh591006284y.exe"
Wed 18 Aug 2004 24,064 ...H. --- "C:\Documents and Settings\ThinkCentre1\My Documents\M E M O\~WRL0001.tmp"
Sat 5 May 2007 43,072 A.SHR --- "C:\backup\FORTUNE MEDICARE\Local Settings\Application Data\dv6419400x\yesbron.com"
Wed 21 Jan 2009 43,072 ..SHR --- "C:\Documents and Settings\Administrator\Local Settings\Application Data\dv6211500x\yesbron.com"
Wed 21 Jan 2009 43,072 ...H. --- "C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Startup.exe"
Wed 24 Dec 2008 43,072 ..SHR --- "C:\Documents and Settings\Guest\Local Settings\Application Data\dv6100620x\yesbron.com"
Tue 11 Sep 2007 43,072 ...H. --- "C:\Documents and Settings\Guest\Start Menu\Programs\Startup\Startup.exe"
Thu 15 Jan 2009 43,072 ..SHR --- "C:\Documents and Settings\Marketing&Sales\Local Settings\Application Data\dv6274860x\yesbron.com"
Tue 21 Aug 2007 43,072 ...H. --- "C:\Documents and Settings\Marketing&Sales\Start Menu\Programs\Startup\Startup.exe"
Thu 4 Jan 2001 43,072 ..SHR --- "C:\Documents and Settings\mavis\Local Settings\Application Data\dv6130320x\yesbron.com"
Thu 22 May 2008 43,072 ...H. --- "C:\Documents and Settings\mavis\Start Menu\Programs\Startup\Startup.exe"
Wed 24 Dec 2008 43,072 ..SHR --- "C:\Documents and Settings\OCSAdmin\Local Settings\Application Data\dv6171900x\yesbron.com"
Mon 15 Jan 2001 43,072 ...H. --- "C:\Documents and Settings\OCSAdmin\Start Menu\Programs\Startup\Startup.exe"
Sat 7 May 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0003.tmp"
Tue 1 Mar 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0004.tmp"
Thu 14 Apr 2005 65,536 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0005.tmp"
Sat 16 Apr 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0006.tmp"
Thu 21 Apr 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0007.tmp"
Tue 10 May 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0008.tmp"
Sun 29 May 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0009.tmp"
Fri 1 Jul 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0010.tmp"
Mon 1 Aug 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0011.tmp"
Tue 30 Aug 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0012.tmp"
Sun 18 Sep 2005 23,552 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0013.tmp"
Fri 29 Jul 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0038.tmp"
Wed 20 Apr 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0333.tmp"
Sat 7 May 2005 20,480 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0339.tmp"
Fri 1 Jul 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0427.tmp"
Sun 18 Sep 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0462.tmp"
Tue 2 Aug 2005 20,992 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0526.tmp"
Wed 8 Jun 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0704.tmp"
Wed 8 Jun 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL0829.tmp"
Fri 1 Jul 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL1784.tmp"
Tue 1 Mar 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL1955.tmp"
Sat 7 May 2005 20,992 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL2194.tmp"
Wed 13 Jul 2005 20,992 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL2377.tmp"
Tue 6 Sep 2005 23,552 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL2494.tmp"
Tue 28 Jun 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL2742.tmp"
Wed 20 Apr 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL3055.tmp"
Fri 22 Apr 2005 22,528 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL3077.tmp"
Mon 27 Jun 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL3254.tmp"
Mon 27 Jun 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL3307.tmp"
Fri 18 Feb 2005 20,992 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL3741.tmp"
Sat 6 Aug 2005 25,600 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL3810.tmp"
Tue 1 Mar 2005 19,456 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Word\~WRL4047.tmp"
Wed 21 Jan 2009 43,072 ..SHR --- "C:\Documents and Settings\ThinkCentre1\Local Settings\Application Data\dv6189720x\yesbron.com"
Wed 18 Jul 2007 43,072 ...H. --- "C:\Documents and Settings\ThinkCentre1\Start Menu\Programs\Startup\Startup.exe"
Sun 20 Mar 2005 4,438 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Acc171.tmp"
Wed 12 Jan 2005 8,246 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des1Ah.tmp"
Wed 12 Jan 2005 8,246 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des1As.tmp"
Sat 15 Jan 2005 8,246 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des2h.tmp"
Sat 15 Jan 2005 8,246 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des2s.tmp"
Thu 10 Feb 2005 8,246 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des3h.tmp"
Thu 10 Feb 2005 8,246 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des3s.tmp"
Fri 25 Feb 2005 8,246 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des4h.tmp"
Fri 25 Feb 2005 8,246 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des4s.tmp"
Mon 28 Mar 2005 8,246 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des5h.tmp"
Mon 28 Mar 2005 8,246 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des5s.tmp"
Wed 11 May 2005 10,678 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des6.tmp"
Tue 5 Apr 2005 8,246 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des6h.tmp"
Tue 5 Apr 2005 8,246 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des6s.tmp"
Thu 27 Jan 2005 8,246 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des9h.tmp"
Thu 27 Jan 2005 8,246 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Des9s.tmp"
Sun 20 Mar 2005 8,246 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\DesB9h.tmp"
Sun 20 Mar 2005 8,246 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\DesB9s.tmp"
Wed 12 Jan 2005 8,246 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Fav16Fh.tmp"
Wed 12 Jan 2005 8,246 ...H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Fav16Fs.tmp"
Fri 18 Mar 2005 2,038 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Fav18.tmp"
Sun 8 May 2005 7,318 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp"
Fri 18 Mar 2005 8,246 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp"
Fri 18 Mar 2005 8,246 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp"
Fri 18 Mar 2005 13,558 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Pro170.tmp"
Fri 8 Apr 2005 0 A..H. --- "C:\Documents and Settings\ThinkCentre1\Application Data\Microsoft\Office\Shortcut Bar\Qui16E.tmp"
Wed 30 Jun 2004 23,040 A..H. --- "C:\Documents and Settings\ThinkCentre1\My Documents\M E D I C A L\A C C R E D I T A T I O N\msu folder\~WRL0872.tmp"
Tue 20 Jan 2009 43,072 ..SHR --- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\dv6191700x\yesbron.com"
Mon 22 Dec 2008 43,072 ..SHR --- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\dv6274860x\yesbron.com"
Fri 24 Aug 2007 43,072 ..SHR --- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\dv633300x\yesbron.com"
Thu 17 May 2007 250,975 ...H. --- "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\Startup.exe"

Finished!

#11 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:07 PM

Posted 21 January 2009 - 10:27 AM

\systemroot\system32\drivers\tdssserv.sys


This is bad news...

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#12 monsterbob

monsterbob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:Albay, Philippines
  • Local time:12:07 AM

Posted 23 January 2009 - 08:45 PM

Good day!

Thank you for your informative reply.
But I'm afraid that the only thing I can do to that computer is try to install AV! It doesn't have one. It is a company computer. Its administrator had given up already. And I can not reformat it because I'm not even employed in that company. I'm just helping out.

Every time I tried to install the Avira, it just disappear from the screen after clicking on 'RUN '.
Same thing also happen to Malwarebyte's.

Anyway thank you again for your help.

#13 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:07 PM

Posted 24 January 2009 - 08:28 AM

It sounds like you want to attempt a cleaning. Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Best wishes - you are in good hands...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#14 monsterbob

monsterbob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:Albay, Philippines
  • Local time:12:07 AM

Posted 25 January 2009 - 07:58 PM

Thanx for your time rigel! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users