Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Trojan Infections -- Malware & Virus


  • This topic is locked This topic is locked
20 replies to this topic

#1 tkintome

tkintome

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 15 March 2009 - 09:22 PM

I have had multiple trojan infections, and malware/spyware infections. At first my computer IE was always freezing, not responding, then it would reboot. I have used trend micro's PC-cillin Internet Security which does not find the trojans, malware or spyware. I have also used Kaspersky Virus Removal Tool, which found about 21 trojans, malware or spyware. Now every time I run the Kaspersky program is finds infection. Any and all help would greatly be appreciated. Thanks in advance.






DDS (Ver_09-03-16.01) - NTFSx86
Run by Matt at 19:10:19.23 on Sun 03/15/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1072 [GMT -7:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated)
FW: PC-cillin Internet Security - Firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\lxbfcoms.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\locator.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Matt\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Matt\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = about:blank
uWindow Title = Internet Explorer provided by Dell
uSearch Bar =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [BitTorrent DNA] "c:\users\matt\program files\dna\btdna.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [userinit] c:\users\matt\appdata\roaming\twex.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [PSQLLauncher] "c:\program files\fingerprint reader suite\launcher.exe" /startup
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [hgcheck] c:\windows\system32\hgcheck.exe
StartupFolder: c:\users\matt\appdata\roaming\micros~1\windows\startm~1\programs\startup\is-c2p3l.lnk - c:\users\matt\desktop\virus removal tool\is-c2p3l\startup.exe
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: af.mil\www.my
Trusted Zone: andymanchesta.com\downloads
Trusted Zone: ucanpass.com\online
Trusted Zone: ucanpass.com\www
Trusted Zone: ucanpass.com\www.*
Trusted Zone: usbank.com\www4
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/WebfettiInitialSetup1.0.1.1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2007\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: 30f409e3509 - c:\windows\system32\dimsroam32.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\users\matt\appdata\roaming\mozilla\firefox\profiles\lmqn6m3l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=
FF - component: c:\users\matt\appdata\roaming\mozilla\firefox\profiles\lmqn6m3l.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\matt\program files\dna\plugins\npbtdna.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true

============= SERVICES / DRIVERS ===============

R1 is-C2P3Ldrv;is-C2P3Ldrv;c:\windows\system32\drivers\04415936.sys [2009-3-14 148496]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-3-3 73728]
R2 lxbf_device;lxbf_device;c:\windows\system32\lxbfcoms.exe -service --> c:\windows\system32\lxbfcoms.exe -service [?]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2007-8-27 345432]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2007-8-27 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-3-3 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2007-8-27 566872]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-3-3 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-3-3 7424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-3-3 280392]
S4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-3-3 209408]

=============== Created Last 30 ================

2009-03-14 21:56 <DIR> --d----- c:\programdata\is-C2P3L
2009-03-14 21:56 <DIR> --d----- c:\progra~2\is-C2P3L
2009-03-14 21:55 514,365,472 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-14 21:55 6,013,988 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-14 21:55 148,496 a------- c:\windows\system32\drivers\04415936.sys
2009-03-14 17:45 <DIR> --d----- C:\SDFix
2009-03-13 17:41 <DIR> --dsh--- c:\users\matt\appdata\roaming\twain32
2009-03-13 16:13 118 a------- c:\windows\system32\MRT.INI
2009-03-13 16:07 97,800 a------- c:\windows\system32\infocardapi.dll
2009-03-13 16:07 622,080 a------- c:\windows\system32\icardagt.exe
2009-03-13 16:07 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-03-13 16:07 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-03-13 16:07 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-03-13 16:07 11,264 a------- c:\windows\system32\icardres.dll
2009-03-13 16:07 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-03-13 16:07 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-03-13 16:02 96,760 a------- c:\windows\system32\dfshim.dll
2009-03-13 16:02 282,112 a------- c:\windows\system32\mscoree.dll
2009-03-13 16:02 41,984 a------- c:\windows\system32\netfxperf.dll
2009-03-13 16:01 158,720 a------- c:\windows\system32\mscorier.dll
2009-03-13 16:01 83,968 a------- c:\windows\system32\mscories.dll
2009-03-13 15:17 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-03-13 00:34 <DIR> --dsh--- c:\windows\system32\twain32
2009-03-12 23:38 888,867 a------- c:\windows\qk62.exe
2009-03-12 23:18 0 a------- c:\windows\system32\drivers\seneka.sys
2009-03-12 23:17 59 a------- c:\windows\system32\senekawgdrsgqu.dat
2009-03-12 23:13 51 a------- c:\windows\system32\work.ini
2009-03-12 23:12 10,712,424 a------- c:\windows\system32\senekatxbkmpqn.dat
2009-03-12 23:12 0 a------- c:\windows\system32\drivers\senekaqcxbvkym.sys
2009-03-11 12:21 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-11 12:21 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-11 12:21 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-11 12:21 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-11 12:21 268,288 a------- c:\windows\system32\schannel.dll
2009-03-11 12:21 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-14 22:22 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-14 22:22 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-14 22:22 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-14 22:22 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-14 22:22 80,896 a------- c:\windows\system32\MSNP.ax

==================== Find3M ====================

2009-03-14 19:42 27,744 a------- c:\programdata\nvModes.dat
2009-03-14 19:42 27,744 a------- c:\progra~2\nvModes.dat
2009-01-18 13:34 51,200 a------- c:\windows\inf\infpub.dat
2009-01-18 13:34 143,360 a------- c:\windows\inf\infstrng.dat
2009-01-18 13:34 86,016 a------- c:\windows\inf\infstor.dat
2009-01-14 23:11 827,392 a------- c:\windows\system32\wininet.dll
2009-01-13 16:20 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-20 16:46 27,240 a------- c:\users\matt\appdata\roaming\nvModes.dat
2008-06-11 03:10 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-28 21:35 174 a--sh--- c:\program files\desktop.ini
2008-01-19 00:38 884,736 a----r-- c:\users\matt\appdata\roaming\twex.exe
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-03-03 11:33 76 ---shr-- c:\windows\CT4CET.bin
2008-03-03 19:14 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:11:30.85 ===============

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:08:47 PM

Posted 27 March 2009 - 01:51 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 tkintome

tkintome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 27 March 2009 - 04:45 PM

All I have done is run windows defender and trend micro pc-cillin internet security multiple of times.



DDS (Ver_09-03-16.01) - NTFSx86
Run by Matt at 14:40:49.34 on Fri 03/27/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1049 [GMT -7:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated)
FW: PC-cillin Internet Security - Firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\lxbfcoms.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\locator.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Matt\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = about:blank
uWindow Title = Internet Explorer provided by Dell
uSearch Bar =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: MySpace Toolbar: {28aed1af-b164-44cd-b435-cf04aa955015} - c:\program files\myspace\toolbar\1.0.28.0\MySpaceToolbar.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: MySpace Toolbar: {28aed1af-b164-44cd-b435-cf04aa955015} - c:\program files\myspace\toolbar\1.0.28.0\MySpaceToolbar.dll
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: af.mil\www.my
Trusted Zone: andymanchesta.com\downloads
Trusted Zone: ucanpass.com\online
Trusted Zone: ucanpass.com\www
Trusted Zone: ucanpass.com\www.*
Trusted Zone: usbank.com\www4
DPF: {06305358-99CE-4C47-B59C-939B76856C2B} - hxxp://download.microsoft.com/download/A/C/4/AC43418A-8C86-4205-803E-249B637EE96B/pmupd806.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/WebfettiInitialSetup1.0.1.1.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2007\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: 30f409e3509 - c:\windows\system32\dimsroam32.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\users\matt\appdata\roaming\mozilla\firefox\profiles\lmqn6m3l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=
FF - component: c:\users\matt\appdata\roaming\mozilla\firefox\profiles\lmqn6m3l.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true

============= SERVICES / DRIVERS ===============

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-3-3 73728]
R2 lxbf_device;lxbf_device;c:\windows\system32\lxbfcoms.exe -service --> c:\windows\system32\lxbfcoms.exe -service [?]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2007-8-27 345432]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2007-8-27 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-3-3 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2007-8-27 566872]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-3-3 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-3-3 7424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-3-3 280392]
S4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-3-3 209408]

=============== Created Last 30 ================

2009-03-27 01:12 22,872 a----r-- c:\windows\system32\AdobePDFUI.dll
2009-03-22 21:23 <DIR> --d----- c:\users\matt\appdata\roaming\MySpace
2009-03-22 21:23 <DIR> --d----- c:\program files\MySpace
2009-03-14 21:55 528,035,872 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-14 21:55 6,188,996 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-13 17:41 <DIR> --dsh--- c:\users\matt\appdata\roaming\twain32
2009-03-13 16:13 118 a------- c:\windows\system32\MRT.INI
2009-03-13 16:07 97,800 a------- c:\windows\system32\infocardapi.dll
2009-03-13 16:07 622,080 a------- c:\windows\system32\icardagt.exe
2009-03-13 16:07 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-03-13 16:07 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-03-13 16:07 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-03-13 16:07 11,264 a------- c:\windows\system32\icardres.dll
2009-03-13 16:07 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-03-13 16:07 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-03-13 16:02 96,760 a------- c:\windows\system32\dfshim.dll
2009-03-13 16:02 282,112 a------- c:\windows\system32\mscoree.dll
2009-03-13 16:02 41,984 a------- c:\windows\system32\netfxperf.dll
2009-03-13 16:01 158,720 a------- c:\windows\system32\mscorier.dll
2009-03-13 16:01 83,968 a------- c:\windows\system32\mscories.dll
2009-03-13 15:17 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-03-13 00:34 <DIR> --dsh--- c:\windows\system32\twain32
2009-03-12 23:38 888,867 a------- c:\windows\qk62.exe
2009-03-12 23:18 0 a------- c:\windows\system32\drivers\seneka.sys
2009-03-12 23:17 59 a------- c:\windows\system32\senekawgdrsgqu.dat
2009-03-12 23:13 51 a------- c:\windows\system32\work.ini
2009-03-12 23:12 10,712,424 a------- c:\windows\system32\senekatxbkmpqn.dat
2009-03-12 23:12 0 a------- c:\windows\system32\drivers\senekaqcxbvkym.sys
2009-03-11 12:21 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-11 12:21 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-11 12:21 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-11 12:21 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-11 12:21 268,288 a------- c:\windows\system32\schannel.dll
2009-03-11 12:21 2,033,152 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-03-25 14:36 27,744 a------- c:\programdata\nvModes.dat
2009-03-25 14:36 27,744 a------- c:\progra~2\nvModes.dat
2009-01-18 13:34 51,200 a------- c:\windows\inf\infpub.dat
2009-01-18 13:34 143,360 a------- c:\windows\inf\infstrng.dat
2009-01-18 13:34 86,016 a------- c:\windows\inf\infstor.dat
2009-01-14 23:11 827,392 a------- c:\windows\system32\wininet.dll
2009-01-13 16:20 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-20 16:46 27,240 a------- c:\users\matt\appdata\roaming\nvModes.dat
2008-06-11 03:10 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-28 21:35 174 a--sh--- c:\program files\desktop.ini
2008-01-19 00:38 884,736 a----r-- c:\users\matt\appdata\roaming\twex.exe
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-03-03 11:33 76 ---shr-- c:\windows\CT4CET.bin
2008-03-03 19:14 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:42:24.27 ===============

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:08:47 PM

Posted 27 March 2009 - 04:50 PM

Hang on. Another will respond shortly.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 PM

Posted 27 March 2009 - 05:29 PM

Hello.

Run MBAM for me and then post a new DDS log. Also what do your other security programs find? A log will be helpful.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with:
-MBAM log
-New DDS log
-Other neccessary log

WitH Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 tkintome

tkintome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 27 March 2009 - 07:21 PM

Here is a copy of the MBAM log. Much of what MBAM found my trend micro PC-cillin internet Security found and said that they were gone.


Malwarebytes' Anti-Malware 1.35
Database version: 1909
Windows 6.0.6001 Service Pack 1

3/27/2009 17:08
mbam-log-2009-03-27 (17-08-45).txt

Scan type: Quick Scan
Objects scanned: 74392
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 33
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7545d8c8-f53c-4e2f-8fa0-d248ef4a6e61} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d97fc677-694d-4a75-ac89-a5b85c2bcfed} (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6226ba26-c017-4007-928c-de9715c6fa67} (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Rapid Antivirus (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\twain32 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\qk62.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\twain32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\twain32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\twain32\user.ds.lll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\senekaqcxbvkym.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\twex.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\senekatxbkmpqn.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\senekawgdrsgqu.dat (Trojan.Agent) -> Quarantined and deleted successfully.

#7 tkintome

tkintome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 27 March 2009 - 07:25 PM

And here is a new DDS log as well;



DDS (Ver_09-03-16.01) - NTFSx86
Run by Matt at 17:22:41.07 on Fri 03/27/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1168 [GMT -7:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated)
FW: PC-cillin Internet Security - Firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\lxbfcoms.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\locator.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Matt\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = about:blank
uWindow Title = Internet Explorer provided by Dell
uSearch Bar =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: MySpace Toolbar: {28aed1af-b164-44cd-b435-cf04aa955015} - c:\program files\myspace\toolbar\1.0.28.0\MySpaceToolbar.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: MySpace Toolbar: {28aed1af-b164-44cd-b435-cf04aa955015} - c:\program files\myspace\toolbar\1.0.28.0\MySpaceToolbar.dll
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: af.mil\www.my
Trusted Zone: andymanchesta.com\downloads
Trusted Zone: ucanpass.com\online
Trusted Zone: ucanpass.com\www
Trusted Zone: ucanpass.com\www.*
Trusted Zone: usbank.com\www4
DPF: {06305358-99CE-4C47-B59C-939B76856C2B} - hxxp://download.microsoft.com/download/A/C/4/AC43418A-8C86-4205-803E-249B637EE96B/pmupd806.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2007\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: 30f409e3509 - c:\windows\system32\dimsroam32.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\users\matt\appdata\roaming\mozilla\firefox\profiles\lmqn6m3l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=
FF - component: c:\users\matt\appdata\roaming\mozilla\firefox\profiles\lmqn6m3l.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true

============= SERVICES / DRIVERS ===============

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-3-3 73728]
R2 lxbf_device;lxbf_device;c:\windows\system32\lxbfcoms.exe -service --> c:\windows\system32\lxbfcoms.exe -service [?]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2007-8-27 345432]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2007-8-27 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-3-3 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2007-8-27 566872]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-3-3 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-3-3 7424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-3-3 280392]
S4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-3-3 209408]

=============== Created Last 30 ================

2009-03-27 16:56 <DIR> --d----- c:\users\matt\appdata\roaming\Malwarebytes
2009-03-27 16:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-27 16:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 16:56 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-27 16:56 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-27 01:12 22,872 a----r-- c:\windows\system32\AdobePDFUI.dll
2009-03-22 21:23 <DIR> --d----- c:\users\matt\appdata\roaming\MySpace
2009-03-22 21:23 <DIR> --d----- c:\program files\MySpace
2009-03-14 21:55 528,035,872 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-14 21:55 6,188,996 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-13 17:41 <DIR> --dsh--- c:\users\matt\appdata\roaming\twain32
2009-03-13 16:13 118 a------- c:\windows\system32\MRT.INI
2009-03-13 16:07 97,800 a------- c:\windows\system32\infocardapi.dll
2009-03-13 16:07 622,080 a------- c:\windows\system32\icardagt.exe
2009-03-13 16:07 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-03-13 16:07 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-03-13 16:07 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-03-13 16:07 11,264 a------- c:\windows\system32\icardres.dll
2009-03-13 16:07 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-03-13 16:07 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-03-13 16:02 96,760 a------- c:\windows\system32\dfshim.dll
2009-03-13 16:02 282,112 a------- c:\windows\system32\mscoree.dll
2009-03-13 16:02 41,984 a------- c:\windows\system32\netfxperf.dll
2009-03-13 16:01 158,720 a------- c:\windows\system32\mscorier.dll
2009-03-13 16:01 83,968 a------- c:\windows\system32\mscories.dll
2009-03-13 15:17 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-03-12 23:13 51 a------- c:\windows\system32\work.ini
2009-03-11 12:21 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-11 12:21 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-11 12:21 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-11 12:21 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-11 12:21 268,288 a------- c:\windows\system32\schannel.dll
2009-03-11 12:21 2,033,152 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-03-25 14:36 27,744 a------- c:\programdata\nvModes.dat
2009-03-25 14:36 27,744 a------- c:\progra~2\nvModes.dat
2009-01-18 13:34 51,200 a------- c:\windows\inf\infpub.dat
2009-01-18 13:34 143,360 a------- c:\windows\inf\infstrng.dat
2009-01-18 13:34 86,016 a------- c:\windows\inf\infstor.dat
2009-01-14 23:11 827,392 a------- c:\windows\system32\wininet.dll
2009-01-13 16:20 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-20 16:46 27,240 a------- c:\users\matt\appdata\roaming\nvModes.dat
2008-06-11 03:10 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-28 21:35 174 a--sh--- c:\program files\desktop.ini
2008-01-19 00:38 884,736 a----r-- c:\users\matt\appdata\roaming\twex.exe
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-03-03 11:33 76 ---shr-- c:\windows\CT4CET.bin
2008-03-03 19:14 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 17:23:52.23 ===============

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 PM

Posted 27 March 2009 - 07:27 PM

Hello.

As expected.. You have a rootkit infection.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you want to continue follow the step below.


Download and Run Combofix

Important: Before we start please disabe any anti-virus programs or any real-time protection that is enabled.

Please refer to this page if your unsure how.
  • Please follow the instructions for running Combofix from here
  • Please read the guide carefully and follow every instructions percisly and remeber to install the Recovery Console first.
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Download the appropriate Windows XP setup boot disk and drag it on Combofix like the image below:
    Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • After you succusfully install the recovery console, will see this window.
    Posted Image
    Please select Yes.
  • Combofix will then run, when combofix it finished, it will create a log for you. Please copy and paste that log in your next reply.
  • Please post that log on your next reply. (the log is located in C:\ComboFix.txt.)
Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 tkintome

tkintome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 27 March 2009 - 08:36 PM

ComboFix 09-03-26.03 - Matt 2009-03-27 18:16:25.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1146 [GMT -7:00]
Running from: c:\users\Matt\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Matt\AppData\Roaming\0200000089a44157509C.manifest
c:\users\Matt\AppData\Roaming\0200000089a44157509O.manifest
c:\users\Matt\AppData\Roaming\0200000089a44157509P.manifest
c:\users\Matt\AppData\Roaming\0200000089a44157509S.manifest
c:\windows\Downloaded Program Files\Temp

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-27 16:56 . 2009-03-27 16:56 <DIR> d-------- c:\users\Matt\AppData\Roaming\Malwarebytes
2009-03-27 16:56 . 2009-03-27 16:56 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-03-27 16:56 . 2009-03-27 16:56 <DIR> d-------- c:\programdata\Malwarebytes
2009-03-27 16:56 . 2009-03-26 16:49 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-27 16:56 . 2009-03-26 16:49 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-03-27 01:12 . 2008-04-07 06:38 22,872 -ra------ c:\windows\System32\AdobePDFUI.dll
2009-03-22 21:23 . 2009-03-22 21:23 <DIR> d-------- c:\users\Matt\AppData\Roaming\MySpace
2009-03-22 21:23 . 2009-03-22 21:23 <DIR> d-------- c:\program files\MySpace
2009-03-14 21:55 . 2009-03-16 14:43 528,035,872 --ahs---- c:\windows\System32\drivers\fidbox.dat
2009-03-14 21:55 . 2009-03-16 14:43 6,188,996 --ahs---- c:\windows\System32\drivers\fidbox.idx
2009-03-13 17:41 . 2009-03-16 11:55 <DIR> d--hs---- c:\users\Matt\AppData\Roaming\twain32
2009-03-13 16:13 . 2009-03-13 16:13 118 --a------ c:\windows\System32\MRT.INI
2009-03-13 16:07 . 2008-06-19 18:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-03-13 16:07 . 2008-06-19 18:14 622,080 --a------ c:\windows\System32\icardagt.exe
2009-03-13 16:07 . 2008-06-19 18:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-03-13 16:07 . 2008-06-19 18:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-03-13 16:07 . 2008-06-19 18:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-03-13 16:07 . 2008-06-19 18:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-03-13 16:07 . 2008-06-19 18:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-03-13 16:07 . 2008-06-19 18:14 11,264 --a------ c:\windows\System32\icardres.dll
2009-03-13 16:02 . 2008-07-27 11:03 282,112 --a------ c:\windows\System32\mscoree.dll
2009-03-13 16:02 . 2008-07-27 11:03 96,760 --a------ c:\windows\System32\dfshim.dll
2009-03-13 16:02 . 2008-07-27 11:03 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-03-13 16:01 . 2008-07-27 11:03 158,720 --a------ c:\windows\System32\mscorier.dll
2009-03-13 16:01 . 2008-07-27 11:03 83,968 --a------ c:\windows\System32\mscories.dll
2009-03-13 15:17 . 2009-03-13 15:17 <DIR> d-------- c:\users\All Users\Windows Genuine Advantage
2009-03-12 23:13 . 2009-03-13 16:55 51 --a------ c:\windows\System32\work.ini
2009-03-11 12:21 . 2008-12-15 20:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-11 12:21 . 2009-02-08 20:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-11 12:21 . 2008-11-26 21:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-11 12:21 . 2008-12-15 22:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-11 12:21 . 2008-12-15 22:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-11 12:21 . 2008-12-15 22:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-08 22:09 . 2009-03-08 22:09 <DIR> d-------- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 21:36 27,744 ----a-w c:\users\All Users\nvModes.dat
2009-03-25 21:36 27,744 ----a-w c:\programdata\nvModes.dat
2009-03-22 23:23 --------- d-----w c:\program files\MSN Money Investment Toolbox
2009-03-16 23:11 --------- d-----w c:\program files\Java
2009-03-12 03:08 --------- d-----w c:\program files\Windows Mail
2009-03-12 03:06 --------- d-----w c:\programdata\Microsoft Help
2009-03-03 06:46 --------- d-----w c:\program files\LimeWire
2009-03-02 01:30 --------- d-----w c:\users\Matt\AppData\Roaming\LimeWire
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2009-01-13 23:20 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-11-20 23:46 27,240 ----a-w c:\users\Matt\AppData\Roaming\nvModes.dat
2008-05-29 04:35 174 --sha-w c:\program files\desktop.ini
2008-01-19 07:38 884,736 ----a-r c:\users\Matt\AppData\Roaming\twex.exe
2008-03-03 18:33 76 --sh--r c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28AED1AF-B164-44CD-B435-CF04AA955015}]
2009-03-19 15:15 220224 --a------ c:\program files\MySpace\Toolbar\1.0.28.0\MySpaceToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{28AED1AF-B164-44CD-B435-CF04AA955015}"= "c:\program files\MySpace\Toolbar\1.0.28.0\MySpaceToolbar.dll" [2009-03-19 220224]

[HKEY_CLASSES_ROOT\clsid\{28aed1af-b164-44cd-b435-cf04aa955015}]
[HKEY_CLASSES_ROOT\MySpaceToolbar.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{F925B91E-677F-4A80-B3B3-6DC63BFFC4EB}]
[HKEY_CLASSES_ROOT\MySpaceToolbar.IEToolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-16 22:13 721408 --a------ c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-16 22:13 721408 --a------ c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2007-08-27 1807696]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-12-02 405504]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-03 13552160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-03 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-09-03 96800]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-13 136600]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-16 22:04 86528 c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Users^Matt^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A2012818-8B5A-4507-B8D8-32AA72215E08}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{D04FD71A-3276-4D75-945A-952CE5BEE2BD}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{406D325A-A730-4443-8FD8-1C46F5485E1D}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{5DE0F730-2B1A-4D91-9158-91F44062075B}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{D490F741-D4A3-4553-BE5D-ECEB79FEF91A}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B71E0650-64FF-46C5-8A00-D2D19B3FE688}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{2D543F0E-EE85-42A8-8D87-2A5215633771}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{1AA9B53C-2C3B-44FE-911B-9F82C53A7CA1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C0BA24B4-80B4-41FC-AF05-F4DE07278226}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{AD2545A3-64B0-4AC4-B932-CEFE9F27A9D4}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{3B1CFDF3-5E8F-4D14-9C4A-BDF7E860FE7D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{6A9D01AF-D4C4-4878-8DCD-5164CDEA5C87}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{95A4D66D-DDAF-4CD1-858C-BD23BAAC508F}"= TCP:c:\program files\DNA\btdna.exe:DNA
"TCP Query User{8875D941-7991-41CF-828B-399BAC8BC08F}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{B9A0B27E-5A66-4638-9A3C-4808F9221BFD}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{A0015860-5AFF-4993-BAB5-65FAEDBB29EA}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{AAEF028A-D9C9-46A8-8E98-89863CB6B4F7}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{45E2E6F8-BCB1-431F-B1B5-68D7C510AAC7}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{81B6BC6E-79F0-4E1C-AA52-14462CEF04F0}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{392A2CCA-60FE-4131-A50D-510A349C7814}"= UDP:c:\windows\System32\lxbfcoms.exe:Lexmark Communications System
"{56A7349E-5B73-460A-A7BE-8322CFB4080F}"= TCP:c:\windows\System32\lxbfcoms.exe:Lexmark Communications System
"{28372F1A-B92E-457D-9BAA-38D8B0857A1A}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbfpswx.exe:Printer Status Window
"{04CAB226-5191-4D26-BFBE-0BD197CDF2C7}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbfpswx.exe:Printer Status Window
"{F5B7B0F4-5F43-44EA-8782-655331230AF8}"= UDP:c:\windows\System32\lxbfcoms.exe:Lexmark Communications System
"{5A60D5DA-85C1-448E-A4D3-BAD79EC0334E}"= TCP:c:\windows\System32\lxbfcoms.exe:Lexmark Communications System
"{634A81DE-0B75-4DD4-B763-A869A00A4E52}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbfpswx.exe:Printer Status Window
"{4EB54860-9C7F-4702-83FD-1A570F93D8D5}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbfpswx.exe:Printer Status Window
"{6BBB2DEC-2FDA-4B1F-9280-E290A8A40E74}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{FCF08706-EF7B-46FA-A36F-5B459EEB9315}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{80EF8198-0C4C-4442-AABE-2949A874DC38}c:\\windows\\explorer.exe"= UDP:c:\windows\explorer.exe:Windows Explorer
"UDP Query User{332D6B96-E60A-421B-9C6C-C19BB50C43DD}c:\\windows\\explorer.exe"= TCP:c:\windows\explorer.exe:Windows Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2008-03-03 73728]
R2 lxbf_device;lxbf_device;c:\windows\system32\lxbfcoms.exe -service --> c:\windows\system32\lxbfcoms.exe -service [?]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [2008-03-03 36368]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [2008-03-03 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [2008-03-03 7424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\System32\drivers\TM_CFW.sys [2008-03-03 280392]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-08-27 345432]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2007-08-27 923216]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2007-08-27 566872]
S4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [2008-03-03 209408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LPDService REG_MULTI_SZ
.
Contents of the 'Scheduled Tasks' folder

2009-03-27 c:\windows\Tasks\User_Feed_Synchronization-{035D32D4-B541-4CE7-9E01-B3D51E8FCA7D}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 00:33]
.
- - - - ORPHANS REMOVED - - - -

Notify-30f409e3509 - c:\windows\System32\dimsroam32.dll
MSConfigStartUp-BitTorrent DNA - c:\users\Matt\Program Files\DNA\btdna.exe
MSConfigStartUp-Lexmark X6100 Series - c:\program files\Lexmark X6100 Series\lxbfbmgr.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: af.mil\www.my
Trusted Zone: andymanchesta.com\downloads
Trusted Zone: ucanpass.com\online
Trusted Zone: ucanpass.com\www
Trusted Zone: ucanpass.com\www.*
Trusted Zone: usbank.com\www4
FF - ProfilePath - c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\lmqn6m3l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=
FF - component: c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\lmqn6m3l.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 18:24:37
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Matt\AppData\Local\Temp\catchme.dll 53248 bytes executable
c:\windows\TEMP\TMP0000004E2224B333902D4134 524288 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(612)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(3424)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\windows\System32\wlanext.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\System32\lxbfcoms.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\System32\Locator.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-27 18:26:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 01:26:25

Pre-Run: 157,307,035,648 bytes free
Post-Run: 157,195,874,304 bytes free

256 --- E O F --- 2009-03-26 18:20:20

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 PM

Posted 28 March 2009 - 11:33 AM

Hello.

Install and Run CCleaner
We will user CCleaner by Piriform to remove temporary files.
  • Please download CCleanerSetup from this page and save it to your desktop.
  • Select the Download Latest Version at the top right of the page.
  • Double click the setup file. Follow the prompts to install the program.
    I suggest you uncheck the option for Yahoo! toolbar. Otherwise, adjust options as you please.
  • Open CCleaner to the Cleaner section.
  • Check all items in Internet Explorer, Windows Explorer, and System. You can leave "Auto Completely Form History" unchecked if desired.
  • Under the Advanced section, check, unless otherwise desired:
    • Old Prefetch data
    • Menu Cache order
    • Tray Notifications Cache (settings for items in the area beside the clock)
    • User Assist History
    • IIS Log Files
    • Hotfix uninstallers
  • Click Run Cleaner. Close out when finished.
Note:Please do not use the other features of CCleaner.

O15 Entries Warning (Sites in your Trusted Zones)

The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in the Internet via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove ALL, (if there are any there still).

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    Rootkit::
    c:\windows\TEMP\TMP0000004E2224B333902D4134
    File::
    c:\users\Matt\AppData\Roaming\twex.exe
    Firefox::
    FF - ProfilePath - c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\lmqn6m3l.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=
    FF - prefs.js: browser.search.selectedEngine - Yoog Search
    FF - prefs.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=
    FF - user.js: browser.search.defaultenginename - Yoog Search
    FF - user.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=
    FF - user.js: browser.search.selectedEngine - Yoog Search
    FF - user.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • c:\windows\System32\work.ini
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
    Alternate Download Site 3
  • Unzip/extract the file to its own folder. Right-Click and select Extract All...
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will now start extracting.
  • Once it is done, check (tick) the Show extracted files box and click Finish
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Right click on gmer.exe and select Run as administrator to run it. It will start running a scan.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
If you receive no notice, click on the Scan button near the bottom.

  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running

Post back with:
-Combofix log
-Virustotal/VirScan log
-GMER log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 tkintome

tkintome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 28 March 2009 - 04:10 PM

ComboFix 09-03-27.02 - Matt 2009-03-28 14:00:55.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1167 [GMT -7:00]
Running from: c:\users\Matt\Desktop\ComboFix.exe
Command switches used :: c:\users\Matt\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*

FILE ::
c:\users\Matt\AppData\Roaming\twex.exe
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-28 11:12 . 2009-03-28 12:55 <DIR> d-------- C:\TEMP
2009-03-27 16:56 . 2009-03-27 16:56 <DIR> d-------- c:\users\Matt\AppData\Roaming\Malwarebytes
2009-03-27 16:56 . 2009-03-27 16:56 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-03-27 16:56 . 2009-03-27 16:56 <DIR> d-------- c:\programdata\Malwarebytes
2009-03-27 16:56 . 2009-03-26 16:49 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-27 16:56 . 2009-03-26 16:49 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-03-27 01:12 . 2008-04-07 06:38 22,872 -ra------ c:\windows\System32\AdobePDFUI.dll
2009-03-22 21:23 . 2009-03-22 21:23 <DIR> d-------- c:\users\Matt\AppData\Roaming\MySpace
2009-03-22 21:23 . 2009-03-22 21:23 <DIR> d-------- c:\program files\MySpace
2009-03-14 21:55 . 2009-03-16 14:43 528,035,872 --ahs---- c:\windows\System32\drivers\fidbox.dat
2009-03-14 21:55 . 2009-03-16 14:43 6,188,996 --ahs---- c:\windows\System32\drivers\fidbox.idx
2009-03-13 17:41 . 2009-03-16 11:55 <DIR> d--hs---- c:\users\Matt\AppData\Roaming\twain32
2009-03-13 16:13 . 2009-03-13 16:13 118 --a------ c:\windows\System32\MRT.INI
2009-03-13 16:07 . 2008-06-19 18:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-03-13 16:07 . 2008-06-19 18:14 622,080 --a------ c:\windows\System32\icardagt.exe
2009-03-13 16:07 . 2008-06-19 18:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-03-13 16:07 . 2008-06-19 18:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-03-13 16:07 . 2008-06-19 18:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-03-13 16:07 . 2008-06-19 18:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-03-13 16:07 . 2008-06-19 18:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-03-13 16:07 . 2008-06-19 18:14 11,264 --a------ c:\windows\System32\icardres.dll
2009-03-13 16:02 . 2008-07-27 11:03 282,112 --a------ c:\windows\System32\mscoree.dll
2009-03-13 16:02 . 2008-07-27 11:03 96,760 --a------ c:\windows\System32\dfshim.dll
2009-03-13 16:02 . 2008-07-27 11:03 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-03-13 16:01 . 2008-07-27 11:03 158,720 --a------ c:\windows\System32\mscorier.dll
2009-03-13 16:01 . 2008-07-27 11:03 83,968 --a------ c:\windows\System32\mscories.dll
2009-03-13 15:17 . 2009-03-13 15:17 <DIR> d-------- c:\users\All Users\Windows Genuine Advantage
2009-03-12 23:13 . 2009-03-13 16:55 51 --a------ c:\windows\System32\work.ini
2009-03-11 12:21 . 2008-12-15 20:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-11 12:21 . 2009-02-08 20:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-11 12:21 . 2008-11-26 21:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-11 12:21 . 2008-12-15 22:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-11 12:21 . 2008-12-15 22:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-11 12:21 . 2008-12-15 22:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-08 22:09 . 2009-03-08 22:09 <DIR> d-------- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 21:36 27,744 ----a-w c:\users\All Users\nvModes.dat
2009-03-25 21:36 27,744 ----a-w c:\programdata\nvModes.dat
2009-03-22 23:23 --------- d-----w c:\program files\MSN Money Investment Toolbox
2009-03-16 23:11 --------- d-----w c:\program files\Java
2009-03-12 03:08 --------- d-----w c:\program files\Windows Mail
2009-03-12 03:06 --------- d-----w c:\programdata\Microsoft Help
2009-03-03 06:46 --------- d-----w c:\program files\LimeWire
2009-03-02 01:30 --------- d-----w c:\users\Matt\AppData\Roaming\LimeWire
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2009-01-13 23:20 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-11-20 23:46 27,240 ----a-w c:\users\Matt\AppData\Roaming\nvModes.dat
2008-05-29 04:35 174 --sha-w c:\program files\desktop.ini
2008-03-03 18:33 76 --sh--r c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( SnapShot@2009-03-27_18.25.32.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-28 01:19:42 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-03-28 21:03:45 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-03-28 01:19:42 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-03-28 21:03:45 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-03-28 01:19:02 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-28 21:03:07 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-28 01:19:02 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-28 21:03:07 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-28 01:19:02 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-28 21:03:07 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-28 01:16:19 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-03-28 20:09:23 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2009-03-28 01:23:46 118,000 ----a-w c:\windows\System32\perfc009.dat
+ 2009-03-28 20:19:05 118,000 ----a-w c:\windows\System32\perfc009.dat
- 2009-03-28 01:23:46 637,052 ----a-w c:\windows\System32\perfh009.dat
+ 2009-03-28 20:19:05 637,052 ----a-w c:\windows\System32\perfh009.dat
- 2009-03-28 01:21:16 10,636 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1829892731-662160437-2540459397-1000_UserData.bin
+ 2009-03-28 20:18:32 10,636 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1829892731-662160437-2540459397-1000_UserData.bin
- 2009-03-28 01:21:15 71,408 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-28 20:18:31 71,534 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-28 00:14:03 57,230 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-28 18:07:52 57,420 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-03-26 21:35:24 290,090 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-03-28 17:42:21 290,948 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28AED1AF-B164-44CD-B435-CF04AA955015}]
2009-03-19 15:15 220224 --a------ c:\program files\MySpace\Toolbar\1.0.28.0\MySpaceToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{28AED1AF-B164-44CD-B435-CF04AA955015}"= "c:\program files\MySpace\Toolbar\1.0.28.0\MySpaceToolbar.dll" [2009-03-19 220224]

[HKEY_CLASSES_ROOT\clsid\{28aed1af-b164-44cd-b435-cf04aa955015}]
[HKEY_CLASSES_ROOT\MySpaceToolbar.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{F925B91E-677F-4A80-B3B3-6DC63BFFC4EB}]
[HKEY_CLASSES_ROOT\MySpaceToolbar.IEToolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-16 22:13 721408 --a------ c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-16 22:13 721408 --a------ c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2007-08-27 1807696]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-12-02 405504]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-03 13552160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-03 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-09-03 96800]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-13 136600]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-16 22:04 86528 c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Users^Matt^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A2012818-8B5A-4507-B8D8-32AA72215E08}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{D04FD71A-3276-4D75-945A-952CE5BEE2BD}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{406D325A-A730-4443-8FD8-1C46F5485E1D}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{5DE0F730-2B1A-4D91-9158-91F44062075B}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{D490F741-D4A3-4553-BE5D-ECEB79FEF91A}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B71E0650-64FF-46C5-8A00-D2D19B3FE688}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{2D543F0E-EE85-42A8-8D87-2A5215633771}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{1AA9B53C-2C3B-44FE-911B-9F82C53A7CA1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C0BA24B4-80B4-41FC-AF05-F4DE07278226}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{AD2545A3-64B0-4AC4-B932-CEFE9F27A9D4}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{3B1CFDF3-5E8F-4D14-9C4A-BDF7E860FE7D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{6A9D01AF-D4C4-4878-8DCD-5164CDEA5C87}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{95A4D66D-DDAF-4CD1-858C-BD23BAAC508F}"= TCP:c:\program files\DNA\btdna.exe:DNA
"TCP Query User{8875D941-7991-41CF-828B-399BAC8BC08F}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{B9A0B27E-5A66-4638-9A3C-4808F9221BFD}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{A0015860-5AFF-4993-BAB5-65FAEDBB29EA}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{AAEF028A-D9C9-46A8-8E98-89863CB6B4F7}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{45E2E6F8-BCB1-431F-B1B5-68D7C510AAC7}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{81B6BC6E-79F0-4E1C-AA52-14462CEF04F0}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{392A2CCA-60FE-4131-A50D-510A349C7814}"= UDP:c:\windows\System32\lxbfcoms.exe:Lexmark Communications System
"{56A7349E-5B73-460A-A7BE-8322CFB4080F}"= TCP:c:\windows\System32\lxbfcoms.exe:Lexmark Communications System
"{28372F1A-B92E-457D-9BAA-38D8B0857A1A}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbfpswx.exe:Printer Status Window
"{04CAB226-5191-4D26-BFBE-0BD197CDF2C7}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbfpswx.exe:Printer Status Window
"{F5B7B0F4-5F43-44EA-8782-655331230AF8}"= UDP:c:\windows\System32\lxbfcoms.exe:Lexmark Communications System
"{5A60D5DA-85C1-448E-A4D3-BAD79EC0334E}"= TCP:c:\windows\System32\lxbfcoms.exe:Lexmark Communications System
"{634A81DE-0B75-4DD4-B763-A869A00A4E52}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbfpswx.exe:Printer Status Window
"{4EB54860-9C7F-4702-83FD-1A570F93D8D5}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbfpswx.exe:Printer Status Window
"{6BBB2DEC-2FDA-4B1F-9280-E290A8A40E74}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{FCF08706-EF7B-46FA-A36F-5B459EEB9315}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{80EF8198-0C4C-4442-AABE-2949A874DC38}c:\\windows\\explorer.exe"= UDP:c:\windows\explorer.exe:Windows Explorer
"UDP Query User{332D6B96-E60A-421B-9C6C-C19BB50C43DD}c:\\windows\\explorer.exe"= TCP:c:\windows\explorer.exe:Windows Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2008-03-03 73728]
R2 lxbf_device;lxbf_device;c:\windows\system32\lxbfcoms.exe -service --> c:\windows\system32\lxbfcoms.exe -service [?]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-08-27 345432]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2007-08-27 923216]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [2008-03-03 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2007-08-27 566872]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [2008-03-03 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [2008-03-03 7424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\System32\drivers\TM_CFW.sys [2008-03-03 280392]
S4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [2008-03-03 209408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LPDService REG_MULTI_SZ
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\User_Feed_Synchronization-{035D32D4-B541-4CE7-9E01-B3D51E8FCA7D}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 00:33]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\lmqn6m3l.default\
FF - component: c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\lmqn6m3l.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 14:03:47
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(612)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(3408)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\windows\System32\wlanext.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\System32\lxbfcoms.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\System32\Locator.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\stacsv.exe
c:\progra~1\TRENDM~1\INTERN~1\pccguide.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-03-28 14:07:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 21:07:27
ComboFix2.txt 2009-03-28 20:19:51
ComboFix3.txt 2009-03-28 01:26:43

Pre-Run: 157,364,338,688 bytes free
Post-Run: 157,338,255,360 bytes free

264 --- E O F --- 2009-03-26 18:20:20

#12 tkintome

tkintome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 28 March 2009 - 04:15 PM

File work.ini received on 03.28.2009 22:12:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/39 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.28 -
AhnLab-V3 5.0.0.2 2009.03.28 -
AntiVir 7.9.0.129 2009.03.27 -
Antiy-AVL 2.0.3.1 2009.03.28 -
Authentium 5.1.2.4 2009.03.28 -
Avast 4.8.1335.0 2009.03.28 -
AVG 8.5.0.285 2009.03.28 -
BitDefender 7.2 2009.03.28 -
CAT-QuickHeal 10.00 2009.03.28 -
ClamAV 0.94.1 2009.03.28 -
Comodo 1087 2009.03.28 -
DrWeb 4.44.0.09170 2009.03.28 -
eSafe 7.0.17.0 2009.03.27 -
eTrust-Vet 31.6.6421 2009.03.27 -
F-Prot 4.4.4.56 2009.03.28 -
F-Secure 8.0.14470.0 2009.03.28 -
Fortinet 3.117.0.0 2009.03.28 -
GData 19 2009.03.28 -
Ikarus T3.1.1.48.0 2009.03.28 -
K7AntiVirus 7.10.684 2009.03.28 -
Kaspersky 7.0.0.125 2009.03.28 -
McAfee 5567 2009.03.28 -
McAfee+Artemis 5567 2009.03.28 -
McAfee-GW-Edition 6.7.6 2009.03.28 -
Microsoft 1.4502 2009.03.28 -
NOD32 3972 2009.03.28 -
Norman 6.00.06 2009.03.27 -
nProtect 2009.1.8.0 2009.03.28 -
Panda 10.0.0.10 2009.03.28 -
PCTools 4.4.2.0 2009.03.28 -
Prevx1 V2 2009.03.28 -
Rising 21.22.52.00 2009.03.28 -
Sophos 4.40.0 2009.03.28 -
Sunbelt 3.2.1858.2 2009.03.28 -
Symantec 1.4.4.12 2009.03.28 -
TheHacker 6.3.3.8.294 2009.03.28 -
TrendMicro 8.700.0.1004 2009.03.28 -
VBA32 3.12.10.1 2009.03.27 -
ViRobot 2009.3.27.1666 2009.03.27 -
Additional information
File size: 51 bytes
MD5...: 2a5e7c68dd5175049f3f78a9e46c46fb
SHA1..: ef821c39db78262613b004b20d9e0eb2e35c78f6
SHA256: 854c04a055be9481019cdc7b04ea3b22123b369da988f22584ede1910d515aff
SHA512: 1f5046209c6e8e88aecc46d4d7e86c72baf6a18944424ea33bf8d77d889e814c
c5e3ef2c7047cb033d02f2056b358467ecb3fb31f4b11f2ea265891b1042ba7c
ssdeep: 3:FEJ2ovj1roRZP5Xxv:YloDJxv

PEiD..: -
TrID..: File type identification
Generic INI configuration (100.0%)
PEInfo: -
RDS...: NSRL Reference Data Set
-

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 PM

Posted 28 March 2009 - 04:31 PM

Hello.

2 Programs you need to be aware of. They are BitTorrent and LimeWire.

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case BitTorrent and LimeWire). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Let's run an online scan now.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-Kaspersky log
-New DDS log
-How's your computer running now? Any more problems?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 tkintome

tkintome
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 28 March 2009 - 05:17 PM

Ok, here is the GMER as requested:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-03-28 15:16:29
Windows 6.0.6001 Service Pack 1


---- Kernel code sections - GMER 1.0.15 ----

? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\LogFiles\Scm\SCM.EVM (size mismatch) 360448/294912 bytes
File C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl (size mismatch) 8192/4096 bytes

---- EOF - GMER 1.0.15 ----

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 PM

Posted 28 March 2009 - 05:35 PM

Thanks.

The GMER log is clean.

Continue with running Kaspersky online scan and post back with that log.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users