Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer & Outlook Express problems


  • This topic is locked This topic is locked
22 replies to this topic

#1 bsprout

bsprout

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 17 February 2009 - 04:41 PM

We have been having problems with both Internet Explorer & Outlook Express not working. I ran spybot lastnight and it found quite a few things. I can't remember all of them but one was the virtumonde trojan. I then ran the malwarebytes program and it eliminated the problem. Now when I try to open Internet Explorer it kicks out and says it cannot open the page and asks if I want to save it. I just close out of it. If I hurry and click the red x button I can click Internet Options but I get the message that the operation has been cancelled due to restrictions in effect on this computer. Outlook Express will receive email but you can't open any of it because it says it's out of memory. I have Trend Micro Internet Security on this computer but it's my husband's computer and I'm not sure how often it was updated. I cannot even get the main console to come up. I get "Internet Explorer cannot download Main/ from 127.0.0.1. "

I ran hijack this and the log is below. Any suggestions would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:51 PM, on 2/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\AGRSMMSG.exe
C:\windows\system32\ezSP_Px.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\windows\system32\ctfmon.exe
C:\Documents and Settings\Ron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\windows\webshots.scr
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\windows\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.foxsports.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\windows\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.8.4.18...o-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.8.5.21/fl...r-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.5.21/peak...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.8.5.21/w...s-ob-assets.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...55/sdcregie.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stam...file=stamps.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - http://www.stop-sign.com/pub/download/lark.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter hijack: text/html - {a9b6cd84-f6cc-4cde-9631-18a9dd0c7cc9} - C:\windows\system32\mst122.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - http://www.thruthebible.org/atf/cf/{FEA5B3...9B7}/header.jpg

--
End of file - 12148 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:05:54 PM

Posted 01 March 2009 - 01:30 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 bsprout

bsprout
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 26 March 2009 - 12:48 PM

I'm not sure which file you need or if you need both so I'll post them separate. Here is the DDS.txt

DDS (Ver_09-03-16.01) - NTFSx86
Run by Ron at 23:08:44.73 on Tue 03/24/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.553 [GMT -4:00]

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\AGRSMMSG.exe
C:\windows\system32\ezSP_Px.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\ctfmon.exe
C:\Documents and Settings\Ron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\windows\webshots.scr
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\nvsvc32.exe
C:\windows\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Ron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\windows\system32\wscntfy.exe
C:\Documents and Settings\Ron\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://msn.foxsports.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\ron\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\ron\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Fortune Bingo by pogo - hxxp://superbingo.pogo.com/applet-5.8.4.18/superbingo/superbingo-ob-assets.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Phlinx by pogo - hxxp://flinger.pogo.com/applet-5.8.5.21/flinger/flinger-ob-assets.cab
DPF: Tri-Peaks by pogo - hxxp://peaks.pogo.com/applet-5.8.5.21/peaks/peaks-ob-assets.cab
DPF: World Class Solitaire by pogo - hxxp://klondike.pogo.com/applet-5.8.5.21/worldclass/worldclass-ob-assets.cab
DPF: {00000161-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaud.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} - hxxps://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab
DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} - hxxp://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - hxxp://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - hxxp://www.webshots.com/samplers/WSDownloader.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} - hxxp://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.0441461452860672&file=stamps.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - hxxp://www.stop-sign.com/pub/download/lark.cab
Filter: text/html - {a9b6cd84-f6cc-4cde-9631-18a9dd0c7cc9} - c:\windows\system32\mst122.dll
Handler: AutorunsDisabled\belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-2-17 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-2-17 335376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-2-17 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-2-17 497008]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-2-17 677128]
S3 ccPwdSvc;Symantec Password Validation Service;"c:\program files\common files\symantec shared\ccpwdsvc.exe" --> c:\program files\common files\symantec shared\ccPwdSvc.exe [?]
S4 ccPxySvc;Symantec Proxy Service;"c:\program files\norton internet security\ccpxysvc.exe" --> c:\program files\norton internet security\ccPxySvc.exe [?]
S4 cdiskdun;cdiskdun;\??\c:\docume~1\ron\locals~1\temp\cdiskdun.sys --> c:\docume~1\ron\locals~1\temp\cdiskdun.sys [?]

=============== Created Last 30 ================


==================== Find3M ====================

2009-03-05 22:17 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-03-05 22:17 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-03-05 22:17 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-03-03 19:12 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-03-03 05:08 335,376 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-03-03 04:34 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-03-03 04:34 150,032 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-03 04:34 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-07 18:20 24,576 a------- c:\windows\system32\nlsdl.dll
2009-01-07 18:20 26,112 a------- c:\windows\system32\idndl.dll
2009-01-07 18:20 23,552 a------- c:\windows\system32\normaliz.dll
2009-01-07 18:20 265,720 a------- c:\windows\system32\msdbg2.dll
2003-09-24 00:06 32 ac-sh--- c:\windows\{72A414B1-4FC8-4CA7-8199-B33B5C99638A}.dat
2003-09-24 00:06 32 ac-sh--- c:\windows\{94761AFB-036E-4733-A05F-8E227757E141}.dat
2003-09-24 00:06 32 ac-sh--- c:\windows\system32\{67BCDE64-AA08-4D72-AC99-033B42F61EFB}.dat
2003-09-24 00:06 32 ac-sh--- c:\windows\system32\{78A9C6FB-90E8-4DAC-B297-8A82D153E1E6}.dat

============= FINISH: 23:09:17.31 ===============

#4 bsprout

bsprout
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 26 March 2009 - 12:49 PM

I guess it says not to post the attach.txt so if you need it let me know. Thanks for looking at this.

#5 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:54 PM

Posted 26 March 2009 - 01:26 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Can you post the Malwarebytes' Anti-Malware log please?

Also try resetting IE.

1. In Internet Explorer 7, click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

The Reset Internet Explorer Settings feature restores the following items to their default settings:

* Home pages
* Search scopes
* Browsing history
* Form data
* Passwords
* Appearance settings
* Toolbars
* ActiveX controls

Additionally, the Reset Internet Explorer Settings feature disables all add-ins. However, it does not remove the add-ins.

Let me know if it works at all. You may also want to download an alternate browser to see if it will work.

Firefox
Safari
Google Chrome
Opera
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#6 bsprout

bsprout
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 26 March 2009 - 03:37 PM

I cannot run IE or IE explorer. It pretty much hangs the whole computer. I've got google chrome on this computer and it runs fine. Actually, everything has been fine unless I try to run IE or IE explorer.

I just ran the Malabytes program and it found nothing. However, I still have the original scan I did when it found the problem. Here is the log:

Malwarebytes' Anti-Malware 1.34
Database version: 1768
Windows 5.1.2600 Service Pack 2

2/17/2009 12:36:18 AM
mbam-log-2009-02-17 (00-36-18).txt

Scan type: Quick Scan
Objects scanned: 77212
Time elapsed: 18 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\180search assistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\SA (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\webHancer (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\whInstall (Adware.WebHancer) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Common\_helper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ron\Local Settings\Temporary Internet Files\Content.IE5\HPZHEQBQ\AV2010Installer[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\whInstall\license.txt (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\Program Files\whInstall\readme.txt (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\Program Files\whInstall\whAgent.inf (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\Program Files\whInstall\whAgent.ini (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\Program Files\whInstall\whInstaller.ini (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.dll (Trojan.BHO) -> Quarantined and deleted successfully.

#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:54 PM

Posted 26 March 2009 - 06:45 PM

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 bsprout

bsprout
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 26 March 2009 - 08:18 PM

ComboFix 09-03-25.04 - Ron 2009-03-26 21:10:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.659 [GMT -4:00]
Running from: c:\documents and settings\Ron\My Documents\Downloads\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common\helper.sig

.
((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-26 20:17 . 2009-03-26 20:17 <DIR> d-------- c:\windows\LastGood

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 01:10 --------- d-----w c:\program files\Common
2009-03-25 21:10 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-19 11:45 --------- d-----w c:\program files\Trend Micro
2009-03-17 22:59 --------- d-----w c:\program files\Microsoft Money
2009-03-06 02:17 36,368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-03-06 02:17 205,328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-03-06 02:17 1,195,512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-03-03 23:12 80,400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-03-03 09:08 335,376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-03-03 08:34 50,192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-03-03 08:34 50,192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-03-03 08:34 150,032 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-02-18 01:18 --------- d-----w c:\documents and settings\Ron\Application Data\Thunderbird
2009-02-17 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-17 05:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-17 05:40 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 05:13 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-17 05:13 --------- d-----w c:\documents and settings\Ron\Application Data\Malwarebytes
2009-02-17 05:13 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-17 02:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2009-01-07 22:20 265,720 ----a-w c:\windows\system32\msdbg2.dll
2009-01-07 22:20 26,112 ----a-w c:\windows\system32\idndl.dll
2009-01-07 22:20 24,576 ----a-w c:\windows\system32\nlsdl.dll
2009-01-07 22:20 23,552 ----a-w c:\windows\system32\normaliz.dll
2003-09-24 04:06 32 -csha-w c:\windows\{72A414B1-4FC8-4CA7-8199-B33B5C99638A}.dat
2003-09-24 04:06 32 -csha-w c:\windows\{94761AFB-036E-4733-A05F-8E227757E141}.dat
2003-09-24 04:06 32 -csha-w c:\windows\system32\{67BCDE64-AA08-4D72-AC99-033B42F61EFB}.dat
2003-09-24 04:06 32 -csha-w c:\windows\system32\{78A9C6FB-90E8-4DAC-B297-8A82D153E1E6}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Ron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-03 133104]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-02-17 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-03-13 995528]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 c:\windows\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-02-17 497008]

c:\documents and settings\Ron\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2004-01-05 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_04\bin\jusched.exe
"Run RunOnce"=e:\runonce.exe c:\UPS\UOWS\ShipUPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-02-17 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-02-17 335376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-02-17 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-02-17 497008]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-02-17 677128]
S4 ccPxySvc;Symantec Proxy Service;"c:\program files\Norton Internet Security\ccPxySvc.exe" --> c:\program files\Norton Internet Security\ccPxySvc.exe [?]
S4 cdiskdun;cdiskdun;\??\c:\docume~1\Ron\LOCALS~1\Temp\cdiskdun.sys --> c:\docume~1\Ron\LOCALS~1\Temp\cdiskdun.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-27 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe []

2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4136305916-4149376340-948404481-1005.job
- c:\documents and settings\Ron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-03 22:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.foxsports.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Fortune Bingo by pogo - hxxp://superbingo.pogo.com/applet-5.8.4.18/superbingo/superbingo-ob-assets.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Phlinx by pogo - hxxp://flinger.pogo.com/applet-5.8.5.21/flinger/flinger-ob-assets.cab
DPF: Tri-Peaks by pogo - hxxp://peaks.pogo.com/applet-5.8.5.21/peaks/peaks-ob-assets.cab
DPF: World Class Solitaire by pogo - hxxp://klondike.pogo.com/applet-5.8.5.21/worldclass/worldclass-ob-assets.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 21:12:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-26 21:15:54
ComboFix-quarantined-files.txt 2009-03-27 01:15:52

Pre-Run: 58,037,166,080 bytes free
Post-Run: 58,510,856,192 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\windows="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

149 --- E O F --- 2009-02-12 03:04:10

#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:54 PM

Posted 26 March 2009 - 08:44 PM

Can you run IE now?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 bsprout

bsprout
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 26 March 2009 - 09:49 PM

No... it just hangs.

#11 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:54 PM

Posted 26 March 2009 - 10:05 PM

I need you to go to the administration tools in XP. They are in the Control Panel. Open the Admin tools, then open the event viewer. Over on the left hand side and click on System. Then up at the top click on Action and then click on Save Events As, type in system as the file name, make sure file type EVT is selected, and then navigate so it will save the file to your desktop, then click save. Over on the left hand side and click on Application. Then up at the top click on Action and then click on Save Events As, type in application as the file name, make sure file type EVT is selected, and then navigate so it will save the file to your desktop, then click save. Zip them both up into a single zip file, post them back here in your next reply as attachments.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 bsprout

bsprout
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 27 March 2009 - 11:19 AM

Attached File  troubleshooting.zip   67.12KB   24 downloads

Let me know if the attachment came through. I'm not sure how that works so hopefully I did that right.

#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:54 PM

Posted 27 March 2009 - 01:05 PM

This is not what you want to hear, but it appears you are starting to have harddrive problems. Har dware problems. I recommend backing up all your data before going forward. If your harddrive crashes, you may loose everything.

Open windows Explorer or my computer and right click on the C: drive and select properties, then select tools. under error checking click the scan now button. A dialog box that shows the Check disk options is displayed, select the Scan for and attempt recovery of bad sectors check box, and then click Start. If one or more of the files on the hard disk are open, you will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, and then restart your computer to start the disk check.

Let me know how it goes.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#14 bsprout

bsprout
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 27 March 2009 - 01:56 PM

I'll do that... However, I have a question. If I have to replace the hard drive do I have to buy a new OS to install it? I'm not entirely sure how that works but I know the computer has a valid license. They just don't ship the disk with the computers anymore so do you have to buy one? Thanks for all your help. I really appreciate it.

#15 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:54 PM

Posted 27 March 2009 - 03:18 PM

There should be some way to transfer the OS from one drive to the other. What brand and model computer do you have?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users