Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Spyware Protect 2009, need help!


  • This topic is locked This topic is locked
10 replies to this topic

#1 ksatt11

ksatt11

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 26 January 2009 - 07:47 PM

I was infected with Spyware Protect 2009, and I ran MalwareBytes. It got rid of the fake antivirus program and popups, but my IE is still getting taken over by another fake site. The web address that comes up is <hxxp://browser-security.microsoft.com/block.php?r=17.1> Also, my computer restarts itself every once in a while. I have followed the instructions and what follows is my DDS report - the Attach.txt is attached as well. Thank you so much for your help!


DDS (Ver_09-01-19.01) - NTFSx86
Run by Kevin at 19:30:32.09 on Mon 01/26/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.287 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Tutor.com\Tutor.com Classroom\Tutor.com Classroom.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kevin\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: BHO: {c9c42510-9b21-41c1-9dcd-8382a2d07c61} - c:\windows\system32\iehelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [braviax] c:\windows\system32\braviax.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [<NO NAME>]
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {cafeefac-0016-0000-0010-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://tutorpm.webex.com/client/v_mywebex-t20/training/ieatgpc.cab
DPF: {ffbb3f3b-0a5a-4106-be53-dfe1e2340cb1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-latest.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: TvDgGgqT - {88C3675B-2269-CDF1-396B-7EA68DF7B67F} - c:\windows\system32\taw.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevin\applic~1\mozilla\firefox\profiles\lhwf74yn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://providers.tutor.com/
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R4 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R4 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-6 24652]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-4-4 29744]

=============== Created Last 30 ================

2009-01-25 16:26 441 a------- c:\windows\system32\TDSSmtve.dat
2009-01-25 16:25 9,216 a------- c:\windows\system32\iehelper.dll
2009-01-19 08:36 <DIR> --d----- c:\documents and settings\kevin\WINDOWS
2009-01-08 08:15 <DIR> --d----- c:\program files\common files\SWF Studio
2009-01-07 23:02 1,843,200 a------- c:\windows\system32\acXMLParser.dll
2009-01-07 23:01 3,518,464 a------- c:\windows\system32\cdintf300.dll
2009-01-07 22:47 <DIR> --d----- c:\program files\Intuit
2009-01-07 22:47 <DIR> --d----- c:\program files\common files\Intuit
2009-01-07 22:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2009-01-07 22:45 95 a------- c:\windows\QBChanUtil_Trigger.ini
2009-01-07 22:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SQL Anywhere 10
2009-01-07 22:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\COMMON FILES
2009-01-07 22:34 <DIR> --d----- c:\program files\Akamai

==================== Find3M ====================

2009-01-26 19:30 104,414 a------- c:\windows\system32\drivers\6169b7e7.sys
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-23 09:01 410,976 a------- c:\windows\system32\deploytk.dll
2008-08-13 13:37 88 ---shr-- c:\windows\system32\77E4DE12B1.sys
2006-12-04 09:07 104 ---shr-- c:\windows\system32\B112DEE477.sys
2008-08-13 13:37 6,580 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:32:07.12 ===============

Attached Files


Edited by Orange Blossom, 11 February 2013 - 03:39 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:02 AM

Posted 27 January 2009 - 04:26 AM

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ksatt11

ksatt11
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 27 January 2009 - 09:32 PM

Thanks for your fast response. I took care of the Viewpoint programs and removed them. I've gone through the ComboFix process, but it has been on the "Preparing Log Report" screen for about 3 hours now. I've searched for other people who have had this problem, but I haven't found anything helpful so I'm not sure what to do at this point. It sounds like ComboFix can be fairly consequential if used incorrectly, so I don't want to do anything that will harm my computer.

Do you suggest that I try to start over and run it again? Or should I uninstall it and then reinstall? If so, what is the uninstall process?

Thanks again.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:02 AM

Posted 28 January 2009 - 05:07 AM

Hi,

but it has been on the "Preparing Log Report" screen for about 3 hours now

In that case, Combofix did run and actually finished but crashed while it was preparing the report. This happens often when an Antivirus interferes with some of the commandline tools Combofix uses.

Did you disable your Antivirus while running Combofix? In case Combofix rebooted before creating the report, then your Antivirus is active again and may interfere with it again.
That's why it may be an idea to run Combofix again from Windows safe mode.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ksatt11

ksatt11
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 28 January 2009 - 08:41 AM

I first tried running it again and it appears to have worked. Here is the log. Thank you!



ComboFix 09-01-21.04 - Kevin 2009-01-28 8:26:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.552 [GMT -5:00]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\IE4 Error Log.txt
c:\windows\system32\iehelper.dll
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\twex.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-26 21:07 . 2009-01-26 22:14 <DIR> d-------- c:\windows\LastGood
2009-01-26 20:40 . 2009-01-26 20:40 <DIR> d-------- c:\windows\LastGood.Tmp
2009-01-26 20:36 . 2008-10-16 15:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2009-01-26 20:36 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-26 20:36 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-26 20:36 . 2008-10-16 15:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-01-26 20:36 . 2008-10-16 15:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-26 20:36 . 2008-10-16 15:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-01-26 20:36 . 2008-10-16 15:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-01-26 20:36 . 2008-10-16 15:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-26 20:36 . 2008-10-16 08:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-01-25 22:15 . 2009-01-25 22:15 <DIR> d-------- c:\documents and settings\Kevin\Application Data\Lavasoft
2009-01-25 16:25 . 2009-01-27 18:25 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-19 08:36 . 2009-01-19 08:36 <DIR> d-------- c:\documents and settings\Kevin\WINDOWS
2009-01-08 08:15 . 2009-01-08 08:15 <DIR> d-------- c:\program files\Common Files\SWF Studio
2009-01-07 23:02 . 2007-06-28 14:09 1,843,200 --a------ c:\windows\system32\acXMLParser.dll
2009-01-07 23:01 . 2007-07-30 14:44 3,518,464 --a------ c:\windows\system32\cdintf300.dll
2009-01-07 22:47 . 2009-01-07 22:47 <DIR> d-------- c:\program files\Intuit
2009-01-07 22:47 . 2009-01-07 22:50 <DIR> d-------- c:\program files\Common Files\Intuit
2009-01-07 22:47 . 2009-01-08 08:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intuit
2009-01-07 22:45 . 2009-01-08 08:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SQL Anywhere 10
2009-01-07 22:45 . 2009-01-07 22:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\COMMON FILES
2009-01-07 22:45 . 2009-01-07 23:02 95 --a------ c:\windows\QBChanUtil_Trigger.ini
2009-01-07 22:35 . 2009-01-07 22:42 <DIR> d-------- c:\documents and settings\Kevin\Application Data\Download Manager
2009-01-07 22:34 . 2009-01-07 22:34 <DIR> d-------- c:\program files\Akamai

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 13:30 104,414 ----a-w c:\windows\system32\drivers\6169b7e7.sys
2009-01-27 23:28 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-27 22:56 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-11-23 14:01 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-08-22 03:08 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-08-13 18:37 88 --sh--r c:\windows\system32\77E4DE12B1.sys
2006-12-04 14:07 104 --sh--r c:\windows\system32\B112DEE477.sys
2008-08-13 18:37 6,580 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-05-28 23458344]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-04 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-21 29744]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-22 185896]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-04-04 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-04 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-09-11 984352]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147305419\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147305419\\ee\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

R4 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-08-30 205328]
R4 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-08-30 36368]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-04-04 29744]
S4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-30 290889]
S4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-08-30 585792]
S4 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-08-30 262215]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b99906d-1c96-11dd-ab84-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

BHO-{c9c42510-9b21-41c1-9dcd-8382a2d07c61} - c:\windows\system32\iehelper.dll
SSODL-TvDgGgqT-{88C3675B-2269-CDF1-396B-7EA68DF7B67F} - c:\windows\system32\taw.dll


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lhwf74yn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://providers.tutor.com/
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 08:30:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6169b7e7]
"ImagePath"="\SystemRoot\System32\drivers\6169b7e7.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-01-28 8:33:07
ComboFix-quarantined-files.txt 2009-01-28 13:32:24

Pre-Run: 12,114,161,664 bytes free
Post-Run: 12,098,805,760 bytes free

186 --- E O F --- 2009-01-28 08:01:32

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:02 AM

Posted 28 January 2009 - 08:46 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\drivers\6169b7e7.sys
Dirlook::
c:\windows\system32\twain32
Driver::
6169b7e7
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ksatt11

ksatt11
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 28 January 2009 - 09:27 AM

Successful. Here is the log from the last run of ComboFix.



ComboFix 09-01-21.04 - Kevin 2009-01-28 8:51:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.498 [GMT -5:00]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kevin\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\drivers\6169b7e7.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\6169b7e7.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_6169b7e7


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-26 21:07 . 2009-01-26 22:14 <DIR> d-------- c:\windows\LastGood
2009-01-26 20:36 . 2008-10-16 15:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2009-01-26 20:36 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-26 20:36 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-26 20:36 . 2008-10-16 15:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-01-26 20:36 . 2008-10-16 15:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-26 20:36 . 2008-10-16 15:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-01-26 20:36 . 2008-10-16 15:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-01-26 20:36 . 2008-10-16 15:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-26 20:36 . 2008-10-16 08:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-01-25 22:15 . 2009-01-25 22:15 <DIR> d-------- c:\documents and settings\Kevin\Application Data\Lavasoft
2009-01-25 16:25 . 2009-01-27 18:25 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-19 08:36 . 2009-01-19 08:36 <DIR> d-------- c:\documents and settings\Kevin\WINDOWS
2009-01-08 08:15 . 2009-01-08 08:15 <DIR> d-------- c:\program files\Common Files\SWF Studio
2009-01-07 23:02 . 2007-06-28 14:09 1,843,200 --a------ c:\windows\system32\acXMLParser.dll
2009-01-07 23:01 . 2007-07-30 14:44 3,518,464 --a------ c:\windows\system32\cdintf300.dll
2009-01-07 22:47 . 2009-01-07 22:47 <DIR> d-------- c:\program files\Intuit
2009-01-07 22:47 . 2009-01-07 22:50 <DIR> d-------- c:\program files\Common Files\Intuit
2009-01-07 22:47 . 2009-01-08 08:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intuit
2009-01-07 22:45 . 2009-01-08 08:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SQL Anywhere 10
2009-01-07 22:45 . 2009-01-07 22:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\COMMON FILES
2009-01-07 22:45 . 2009-01-07 23:02 95 --a------ c:\windows\QBChanUtil_Trigger.ini
2009-01-07 22:35 . 2009-01-07 22:42 <DIR> d-------- c:\documents and settings\Kevin\Application Data\Download Manager
2009-01-07 22:34 . 2009-01-07 22:34 <DIR> d-------- c:\program files\Akamai

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 23:28 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-27 22:56 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-08-22 03:08 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-08-13 18:37 88 --sh--r c:\windows\system32\77E4DE12B1.sys
2006-12-04 14:07 104 --sh--r c:\windows\system32\B112DEE477.sys
2008-08-13 18:37 6,580 --sha-w c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\twain32 ----

2009-01-27 18:25 7584 --a------ c:\windows\system32\twain32\local.ds
2009-01-26 18:37 0 --a------ c:\windows\system32\twain32\user.ds


((((((((((((((((((((((((((((( snapshot@2009-01-28_ 8.31.17.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-28 13:56:33 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_cc4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-05-28 23458344]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-04 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-21 29744]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-22 185896]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-04-04 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-04 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-09-11 984352]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147305419\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147305419\\ee\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

R4 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-08-30 205328]
R4 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-08-30 36368]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-04-04 29744]
S4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-30 290889]
S4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-08-30 585792]
S4 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-08-30 262215]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b99906d-1c96-11dd-ab84-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lhwf74yn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://providers.tutor.com/
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 08:57:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\dllhost.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-01-28 9:02:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-28 14:01:59
ComboFix2.txt 2009-01-28 13:33:09

Pre-Run: 12,082,561,024 bytes free
Post-Run: 12,065,181,696 bytes free

211 --- E O F --- 2009-01-28 08:01:32

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:02 AM

Posted 28 January 2009 - 10:48 AM

Hi,

The c:\windows\system32\twain32 folder appears to be a leftover of the backdoor you were dealing with previously, so delete that folder.
It's a hidden folder, so Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Then, navigate to and delete the c:\windows\system32\twain32 folder

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 ksatt11

ksatt11
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 28 January 2009 - 05:38 PM

Things seem to be working much better now, thank you so much! Just to clarify, I should re-implement my Trend Micro Firewall and windows firewall, right?

I have just now had the chance to try IE, which is working well again. I haven't been using it long enough to see if I'm getting any more of those random shutdowns, but I'll let you know if I do.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:02 AM

Posted 29 January 2009 - 02:54 AM

Hi,

I should re-implement my Trend Micro Firewall and windows firewall, right?

Yes. :thumbup2:

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:02 AM

Posted 05 February 2009 - 06:56 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users