Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

what would you do


  • Please log in to reply
55 replies to this topic

#1 car 54

car 54

  • Members
  • 335 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 05 March 2009 - 02:35 AM

Moved to this forum by tg1911, as per teacup61's request

hello everyone.my computer is a hp 533w.with 512mb ram. it has been changed from xp home to xp pro sp3.i don`t have a xp pro cd at this time.hope to have one soon.some of the problems i`am having are i can`t go to system restore site,its a little slow at times, real slow going to pogo games.19 programs were installed on 1-28-09,click on any of them,says cannot be removed. i don`t know how they got installed. silverlight has been installed twice.i can`t remove it and it won`t install updates.it has 22 failed updates(kb960353)can someone help me with these problems please?

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 PM

Posted 05 March 2009 - 09:08 AM

Hi and welcome to BleepingComputer :thumbup2:

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 car 54

car 54
  • Topic Starter

  • Members
  • 335 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 05 March 2009 - 04:25 PM

thanks for helping.Malwarebytes' Anti-Malware 1.34
Database version: 1822
Windows 5.1.2600 Service Pack 3, v.5657

3/5/2009 2:55:05 PM
mbam-log-2009-03-05 (14-55-05).txt

Scan type: Quick Scan
Objects scanned: 60642
Time elapsed: 9 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0Copy this line.

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 PM

Posted 05 March 2009 - 04:27 PM

Let's look with one more tool...

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 car 54

car 54
  • Topic Starter

  • Members
  • 335 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 05 March 2009 - 08:21 PM

i did this same scan last night and it showed 53 infections do you want me to post it?here`s the one you ask for.SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/05/2009 at 07:00 PM

Application Version : 4.25.1014

Core Rules Database Version : 3785
Trace Rules Database Version: 1742

Scan type : Complete Scan
Total Scan Time : 01:57:06

Memory items scanned : 215
Memory threats detected : 0
Registry items scanned : 4037
Registry threats detected : 0
File items scanned : 43014
File threats detected : 0

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 PM

Posted 05 March 2009 - 09:23 PM

So we did have an infection,,,


Lets continue here

Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start. (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)[/color]
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:23 PM

Posted 05 March 2009 - 09:55 PM

Hi there car 54,

This will be your last stop, I promise. :thumbup2: I will be the only one working with you, so hopefully there will be less confusion. :)

I don't know if you've run the Eset scanner yet....if not, then don't right now. We may later.

This toll is very powerful, and it sees a lot of things. Once you get it running just let it do its thing. Your desktop may disappear for a sec, and your time will change to military time. This is normal, so don't worry and just follow any prompts that might come up. If it asks you to install Recovery Console, just bypass that for right now. :step4:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

To get HijackThis please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 car 54

car 54
  • Topic Starter

  • Members
  • 335 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 06 March 2009 - 12:11 AM

hi,i was trying to post back to rigel about the scan when i got a pm from tg1911 explaining things. i thought i would tell you about it post it then do the combo fix.when i clicked the address a pop up came up saying -windows cannot find c:/program files make sure you typed the correct address and try again.i browsed around for it .and finally found it.thanks for helping me. # version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3911 (20090305)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=34ded1b67708e6438bb355b8d174bddb
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-06 03:02:46
# local_time=2009-03-05 10:02:46 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3, v.5657
# scanned=137550
# found=0
# scan_time=3084

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:23 PM

Posted 06 March 2009 - 12:16 AM

Thank you very much. :thumbup2: Post the reports when you're ready. I'm a bit of a night owl, so I'll be here. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 car 54

car 54
  • Topic Starter

  • Members
  • 335 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 06 March 2009 - 01:20 AM

ComboFix 09-03-04.01 - Administrator 2009-03-05 23:26:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.193 [GMT -5:00]
Running from: d:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-05 21:08 . 2009-03-05 22:02 <DIR> d-------- d:\program files\EsetOnlineScanner
2009-03-03 02:28 . 2009-03-03 02:28 <DIR> d-------- d:\windows\system32\log
2009-02-25 22:42 . 2008-12-20 18:15 6,066,688 -----c--- d:\windows\system32\dllcache\ieframe.dll
2009-02-25 22:42 . 2007-04-17 04:32 2,455,488 -----c--- d:\windows\system32\dllcache\ieapfltr.dat
2009-02-25 22:42 . 2007-03-08 00:10 991,232 -----c--- d:\windows\system32\dllcache\ieframe.dll.mui
2009-02-25 22:42 . 2008-12-20 18:15 459,264 -----c--- d:\windows\system32\dllcache\msfeeds.dll
2009-02-25 22:42 . 2008-12-20 18:15 383,488 -----c--- d:\windows\system32\dllcache\ieapfltr.dll
2009-02-25 22:42 . 2008-12-20 18:15 267,776 -----c--- d:\windows\system32\dllcache\iertutil.dll
2009-02-25 22:42 . 2008-12-20 18:15 63,488 -----c--- d:\windows\system32\dllcache\icardie.dll
2009-02-25 22:42 . 2008-12-20 18:15 52,224 -----c--- d:\windows\system32\dllcache\msfeedsbs.dll
2009-02-25 22:42 . 2008-12-19 04:10 13,824 -----c--- d:\windows\system32\dllcache\ieudinit.exe
2009-02-21 20:20 . 2004-11-02 08:04 57,806 --a------ d:\windows\system32\igfx.hlp
2009-02-17 13:46 . 2009-02-17 13:47 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2009-02-17 13:46 . 2009-02-11 10:19 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 13:46 . 2009-02-11 10:19 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2009-02-15 04:05 . 2009-02-15 04:05 <DIR> d-------- d:\program files\Common Files\Adobe AIR
2009-02-13 20:45 . 2009-02-13 20:44 73,728 --a------ d:\windows\system32\javacpl.cpl
2009-02-13 20:44 . 2009-02-13 20:44 <DIR> d-------- d:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 04:15 --------- d-----w d:\program files\Crawler
2009-02-25 03:20 --------- d-----w d:\program files\SUPERAntiSpyware
2009-02-14 01:44 410,984 ----a-w d:\windows\system32\deploytk.dll
2009-01-29 03:40 --------- d-----w d:\program files\MSBuild
2009-01-29 03:39 --------- d-----w d:\program files\Reference Assemblies
2009-01-27 23:34 --------- d-----w d:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-27 22:59 --------- d-----w d:\program files\SIW
2009-01-24 09:20 --------- d-----w d:\program files\Windows Live Safety Center
2009-01-18 21:02 --------- d-----w d:\program files\Windows Desktop Search
2009-01-18 04:04 --------- d-----w d:\program files\Windows Media Connect 2
2009-01-12 07:10 16,384 ----a-w d:\windows\DCEBoot.exe
2009-01-09 05:56 --------- d-----w d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-09 05:55 --------- d-----w d:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-01-09 05:51 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-12-30 03:41 126,976 ----a-w d:\windows\system32\unzdll.dll
2008-12-20 23:15 826,368 ----a-w d:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2007-11-30 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"UfSeAgnt.exe"="d:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]
"HPDJ Taskbar Utility"="d:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-02-13 148888]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 d:\windows\ALCXMNTR.EXE]
"LTMSG"="LTMSG.exe" [2003-07-14 d:\windows\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2008-12-20 d:\windows\system32\advpack.dll]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\WINDOWS\\system32\\mmc.exe"=

R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R2 tmevtmgr;tmevtmgr;d:\windows\system32\drivers\tmevtmgr.sys [2008-09-09 52240]
R2 tmpreflt;tmpreflt;d:\windows\system32\drivers\tmpreflt.sys [2008-02-15 36368]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R3 tmcfw;Trend Micro Common Firewall Service;d:\windows\system32\drivers\TM_CFW.sys [2008-02-15 333328]
R3 TmPfw;Trend Micro Personal Firewall;d:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2008-09-09 488768]
R3 tmproxy;Trend Micro Proxy Service;d:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-09-09 648456]
S3 iscFlash;iscFlash;\??\d:\windows\SYSTEM32\DRIVERS\iscflash.sys --> d:\windows\SYSTEM32\DRIVERS\iscflash.sys [?]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-MSMSGS - d:\program files\Messenger\msmsgs.exe


.
------- Supplementary Scan -------
.
IE: Crawler Search - tbr:iemenu
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - d:\progra~1\Crawler\ctbr.dll
FF - ProfilePath - d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\r1ah7q9z.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&tbid=66028&qkw=
FF - component: d:\program files\Crawler\firefox\components\xcomm.dll
FF - component: d:\program files\Crawler\firefox\components\xshared.dll
FF - component: d:\program files\Crawler\firefox\components\xsupport.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 23:42:02
Windows 5.1.2600 Service Pack 3, v.5657 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\Root\LEGACY_NDISPROT\0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
d:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(828)
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-03-05 23:47:03
ComboFix-quarantined-files.txt 2009-03-06 04:45:11

Pre-Run: 39,602,180,096 bytes freeLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:17 AM, on 3/6/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
D:\Program Files\Trend Micro\BM\TMBMSRV.exe
D:\WINDOWS\system32\hkcmd.exe
D:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
D:\WINDOWS\LTMSG.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\Program Files\Trend Micro\Internet Security\TmProxy.exe
D:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\PROGRA~1\Crawler\CToolbar.exe
D:\Program Files\MSN\Toolbar\3.0.0988.2\msntask.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - D:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - D:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - D:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - D:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - D:\PROGRA~1\Crawler\ctbr.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "D:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229887512718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229887490031
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - D:\PROGRA~1\Crawler\ctbr.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - D:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - D:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6350 bytes

Post-Run: 39,633,649,664 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
134 --- E O F --- 2009-03-05 21:45:08

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:23 PM

Posted 06 March 2009 - 01:30 AM

Hello,

Those look better than I expected them to. :thumbup2: Some things we can do, but I'd like to see what programs you cannot uninstall.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post. Please also let me know which of those you want to uninstall and cannot. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 car 54

car 54
  • Topic Starter

  • Members
  • 335 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 06 March 2009 - 03:13 AM

i`am sorry about the slow responce.i had it typed out but i deleted it. here`s the list.silverlight is the only one i tried to uninstall. is there a way you can look at the program page and tell which one`s i need and the one`s i don`t. when the computer was changed in sept. 2008 it had about 12 programs on it, my daughter put adobe and acrobat .com on it. now it has something like 34.i don`t think i need those 19 that were installed on 01-28-09. that says cannot be remAcrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Crawler Toolbar
ESET Online Scanner
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Intel® Extreme Graphics Driver
Java™ 6 Update 12
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Mozilla Firefox (3.0.6)
MSN
MSN Toolbar
PhotoImpression
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
SIW version 2008-12-16
SUPERAntiSpyware Free Edition
Trend Micro Internet Security
Trend Micro Internet Security
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Vista System Properties
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11

oved.

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:23 PM

Posted 06 March 2009 - 03:40 AM

Hi there,

No need to be sorry at all. :) You were here by the date you gave.......and I just don't understand what you're referring to.

don`t think i need those 19 that were installed on 01-28-09

Most everything I see in the list you posted belongs there. Hopefully we're going to remove the ones that don't belong there :

I see two instances of Adobe AIR......one can be uninstalled. I also see two instances of Trend Micro Internet Security....one of those can go. It's no wonder your computer is slow if there really are two instances of these things running. :thumbup2:

Also uninstall Crawler Toolbar, and ESET Online Scanner.

If you have trouble uninstalling any of those, then do the same thing I'm going to have you do with the Silverlight :

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Now scroll down until you find Microsoft Silverlight and highlight it. On the right hand side there you'll have the option to Delete this entry. Click on that and see if that does it. :step4: Reboot after you're finished and let me know how it goes. :step1:

Are you still not able to boot into Safe Mode? I didn't see anything in the ComboFix log that indicated it was broken, so I need to know, please. :step5:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 car 54

car 54
  • Topic Starter

  • Members
  • 335 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 06 March 2009 - 04:46 AM

toolbar and on line scanner are gone.adobe air and trend micro are only showing one time in add and remove program.do you want me to delete one of each in hijack this? silverlight won`t leave get the pop up that says(this patch package could not be opened.verify that the patch exists and that you can access it or contact the application vendor to verify) i messed up, i told you there were 19 programs that cannot be removed. there not programs,there updates.i haven`t had any problem booting into safe mode.

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:23 PM

Posted 06 March 2009 - 05:05 AM

Well yay on most of that!! :thumbup2: :)

I'm so glad you can get to Safe Mode. :step4: Do you use Adobe AIR? If not, just uninstall the whole thing. That kind of application, especially from Adobe, is usually huge and a resource hog. Leave the Trend Micro alone for now, but thank you for letting me know.

I'm actually glad you messed up! :step1: Better to know they're updates than bad programs hanging around.

We'll deal with Silverlight in the next post. I want to get everything else out of the way that we can. :step5:

Are you seeing any difference in performance yet?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users