Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Critical Vulnerabilities in Windows

  • This topic is locked This topic is locked
3 replies to this topic

#1 Amy Garcia

Amy Garcia

  • Members
  • 2 posts
  • Gender:Female
  • Location:Jacksonville
  • Local time:05:47 PM

Posted 12 February 2009 - 10:54 PM

When I try to update Windows (which is what Trend Micro Internet Security tells me to do), it takes me to a Google page that says "error 404 not found". I can't update manually from the Microsoft site either. I can't even update my media player or anything else on my computer. When I try to update other things, I can't ever get it to work. Either "unable to update" or "page not available". I have no idea what to do. Following is my DDS. I tried to do what I'm supposed to, but if I made mistakes, I'm sorry. Tell me what I need to do and I will.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Mike Garcia at 22:32:31.37 on Thu 02/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1246 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mike Garcia\Local Settings\Temporary Internet Files\Content.IE5\MDGPA753\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://jacksonville.craigslist.org/zip/
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {2D488609-7020-47C4-ACDC-71F80DF6E96A} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [WinPerfectAutoRun] c:\yenicag\cleandiskpro\WinPerfect.exe -boot
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /S
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [EarthLink Installer] " /C
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://games.bigfishgames.com/en_fashion-dash/online/fashiondashweb.
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2108E348-A0C0-1563-D327-730450CF5E34} - hxxp://www.shockwave.com/content/dinerdash/sis/DDComcast.
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://www.shockwave.com/content/weddingdash2/sis/WeddingDash2Web.
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1224044667993&h=925cf5faf5debf49e56c7591b4bcb57b/&filename=jinstall-6u7-windows-i586-jc.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://games.bigfishgames.com/en_chocolatier-2-secret-ingredients/online/Chocolatier2Web.
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} - hxxp://www.shockwave.com/content/dreamchronicles2/sis/dream2web.
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll avgrsstx.dll c:\progra~1\google\google~2\GOEC62~1.DLL mhqfpi.dll bjgpjh.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-6 42376]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-15 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-5 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-5 26824]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-6 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-6 81288]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-5 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-5 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-5 76040]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-6 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-6 1073544]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-2-9 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-2-9 492888]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-2-9 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-2-9 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-2-9 334352]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe --> c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-4-15 29744]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-10-14 38496]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-4-15 1251720]

=============== Created Last 30 ================

2009-02-09 12:05 8,687,985 a------- C:\200902091158061602679134.zip
2009-02-09 12:00 <DIR> --d----- c:\windows\system32\Service
2009-02-09 11:46 <DIR> --d----- c:\documents and settings\mike garcia\log
2009-02-09 09:49 144,912 a------- c:\windows\system32\drivers\tmcomm.sys
2009-02-09 09:49 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-02-09 09:49 49,680 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-02-09 09:48 661,808 a------- c:\windows\system32\UfWSC.cpl
2009-02-09 09:48 1,195,384 a------- c:\windows\system32\drivers\vsapint.sys
2009-02-09 09:48 334,352 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-02-09 09:48 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-02-09 09:48 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-02-09 09:48 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-02-09 09:40 46,456 a----r-- c:\windows\system32\exitwx.exe
2009-02-08 08:44 192,512 a------- c:\windows\system32\kdfvmgr.exe
2009-02-08 08:44 77,824 a------- c:\windows\system32\kdfapi.dll
2009-02-08 08:44 53,248 a------- c:\windows\system32\Kdfhok.dll
2009-02-08 08:44 722,472 a------- c:\windows\system32\kdfmgr.exe
2009-02-08 08:44 <DIR> --d----- c:\windows\kdefense
2009-02-08 08:44 846,336 a------- c:\windows\system32\kdfinj.dll
2009-02-08 08:40 <DIR> --d----- c:\windows\LocalSSL
2009-02-07 11:16 2,524 a------- C:\autorun.PNF
2009-02-07 11:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2009-02-07 09:55 <DIR> --d----- c:\documents and settings\mike garcia\.housecall6.6
2009-02-06 18:16 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-02-06 18:16 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-02-06 18:16 42,376 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-02-06 18:16 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-02-06 18:16 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-06 18:16 <DIR> --d----- c:\docume~1\mikega~1\applic~1\PC Tools
2009-02-06 18:14 <DIR> --d----- c:\program files\Norton Security Scan
2009-02-06 16:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Graboid Inc
2009-02-06 16:11 <DIR> --d----- c:\docume~1\mikega~1\applic~1\MozillaControl
2009-02-06 16:11 <DIR> --d----- c:\program files\VideoLAN
2009-02-06 16:10 <DIR> --d----- c:\program files\Graboid
2009-02-05 12:51 <DIR> --d----- c:\program files\Shop-n-Spree
2009-02-05 06:37 1,049 a------- C:\net_save.dna
2009-02-05 06:36 <DIR> --d----- c:\program files\support.com
2009-02-04 10:11 <DIR> --d----- c:\program files\Chocolatier 2 - Secret Ingredients
2009-02-01 11:21 <DIR> --d----- c:\program files\Spybot - Search & Destroy2
2009-01-26 07:06 <DIR> --d----- c:\program files\The Weather Channel FW
2009-01-21 17:57 <DIR> --d----- c:\docume~1\mikega~1\applic~1\Gabob.NowBoarding.B1EDF665FD3C3F3F09EA618A6CFE5BBDBDB5E912.1
2009-01-21 17:57 <DIR> --d----- c:\program files\NowBoarding

==================== Find3M ====================

2009-02-09 00:50 932 a------- c:\docume~1\mikega~1\applic~1\wklnhst.dat
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-01 23:21 14,401 a------- c:\program files\common files\japetycefu.sys
2008-11-01 23:21 18,345 a------- c:\docume~1\mikega~1\applic~1\okurir.scr
2008-11-01 23:21 17,217 a------- c:\docume~1\alluse~1\applic~1\aruke.vbs
2008-11-01 23:21 14,077 a------- c:\docume~1\alluse~1\applic~1\aboronyxel.sys
2008-11-01 22:55 19,790 a------- c:\program files\common files\ucajonavug.inf
2008-11-01 22:55 19,768 a------- c:\docume~1\alluse~1\applic~1\nunemiq.bin
2008-11-01 22:55 17,110 a------- c:\program files\common files\runodi.ban
2008-11-01 22:55 15,221 a------- c:\docume~1\alluse~1\applic~1\lazygeqa.pif
2008-11-01 22:55 14,842 a------- c:\program files\common files\yzunevacoj.scr
2008-11-01 22:55 14,220 a------- c:\docume~1\mikega~1\applic~1\raxywi.bat
2008-11-01 22:55 13,855 a------- c:\program files\common files\byduhowaz.inf
2008-11-01 22:55 13,039 a------- c:\docume~1\mikega~1\applic~1\ixonucyjik.pif
2008-11-01 22:55 10,785 a------- c:\docume~1\alluse~1\applic~1\osijabokah.bat
2008-10-14 10:21 992 a------- c:\documents and settings\mike garcia\xrt_log.dat

============= FINISH: 22:32:54.58 ===============

Attached Files

BC AdBot (Login to Remove)


#2 fenzodahl512


  • Members
  • 6,738 posts
  • Local time:05:47 AM

Posted 15 February 2009 - 03:42 AM

Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall

Please post these logs in your next reply... Post each log in separate post

1. SDFix
2. ComboFix
3. A fresh HijackThis log

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#3 Amy Garcia

Amy Garcia
  • Topic Starter

  • Members
  • 2 posts
  • Gender:Female
  • Location:Jacksonville
  • Local time:05:47 PM

Posted 15 February 2009 - 10:25 AM

Actually, someone from Microsoft walked me through this yesterday. I had more than one Trojan. I am now able to update Windows and everything seems to be working fine. Scans don't find any viruses, so I think I'm good. Thanks for your help.

#4 fenzodahl512


  • Members
  • 6,738 posts
  • Local time:05:47 AM

Posted 15 February 2009 - 11:26 AM

Thank you for notify us.. I will now close this topic.. Please pm any Moderator or HJT Team should you need to re-open this topic..


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users