Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumond Infection Cleaned? Adobe Flash Player 9.x


  • This topic is locked This topic is locked
11 replies to this topic

#1 toolu

toolu

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 25 March 2009 - 07:41 PM

This is my mother's computer. I cleaned 54 spyware/malware with Super Antispyware, 10 more with SuperAntispyware, 2 with Malwarebytes, 10 more with SuperAntispyware, Could not load Trend Micro house call. Loaeded trial for Trend Micro Pro. Removed 20 more threats. Then two more with Superantispyware. Rebooted in safe mode ran all three. Super Anti spyware found 4 more threats, Malwarebytes virtumond?, Trend micro 2 unidentified. Computer ran better. Ran Secunia PSI patched all know issues. Ran all scans in normal mode and everything came back clean. Scan times for complete scans around 1hr.

My mother calls a few weeks later to tell me that the computer is running slow. You can click on any application and it takes minutes to open. I run the scans and they take a minimium of 8 hours. I disconnect the machine from the network. Everytime I run the three scans it finds more threats. Still disconnected I continue to run the scans in safe mode until everything shows 0 threats. The computer is still so slow you can watch the screen draw as it opens and closes. I ran a sfc and the computer is now usable but still extremely slow. Secunia PSI shows an unpatched issue with Adobe Flash Player 9.x but Adovbe Flash Player is not installed. There is no Flash Player installed at all neither 9 or 10?


DDS (Ver_09-03-16.01) - NTFSx86
Run by Janet at 19:07:34.42 on Wed 03/25/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.102 [GMT -5:00]

AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Janet\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: XBTP01640 Class: {8b4f961f-0b84-4201-bbb1-34e45368f39e} - c:\progra~1\wow\tbu01842\WOWTOO~1.DLL
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
TB: {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.adobe.com/shockwave/welcome/"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLPSP] "c:\program files\dell printers\additional color laser software\status monitor\DLPSP.EXE"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\janet\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\micros~2\office\1033\phdintl.dll/phdContext.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2}
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} - hxxp://billing-b.mhi.aol.com/netagent/objects/custappx2.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136916239215
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223955456128
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38054.8553587963
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\janeteudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2007-2-26 135168]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [2009-2-26 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-2-26 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-2-26 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-2-26 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-2-26 677128]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-18 24652]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-2-26 335376]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2007-12-9 22136]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-8 33752]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-1-17 166656]

=============== Created Last 30 ================

2009-03-24 09:51 <DIR> --d----- c:\program files\Secunia
2009-03-24 09:02 <DIR> --d----- c:\windows\pss
2009-03-24 06:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys
2009-03-23 23:20 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-03-23 23:19 <DIR> --d----- c:\program files\MSECACHE
2009-03-22 21:50 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-22 21:50 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-15 16:14 <DIR> --d----- c:\docume~1\janet\applic~1\Qualcomm
2009-03-13 23:49 <DIR> --d----- c:\windows\system32\LogFiles
2009-03-12 23:42 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-12 18:28 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-03-12 18:28 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-03-12 18:28 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-03-12 18:28 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-03-12 18:28 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-03-12 18:28 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2009-03-12 18:28 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-03-12 18:28 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2009-03-12 18:28 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2009-03-12 18:28 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2009-03-12 18:28 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2009-03-12 18:26 24,576 ac------ c:\windows\system32\dllcache\viairda.sys
2009-03-12 18:25 138,528 ac------ c:\windows\system32\dllcache\tgiulnt5.sys
2009-03-12 18:24 12,288 ac------ c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2009-03-12 18:23 6,912 ac------ c:\windows\system32\dllcache\seaddsmc.sys
2009-03-12 18:22 41,472 ac------ c:\windows\system32\dllcache\qvusd.dll
2009-03-12 18:21 14,336 ac------ c:\windows\system32\dllcache\padrs412.dll
2009-03-12 18:20 91,488 ac------ c:\windows\system32\dllcache\n9i3disp.dll
2009-03-12 18:19 35,200 ac------ c:\windows\system32\dllcache\msgame.sys
2009-03-12 18:18 4,992 ac------ c:\windows\system32\dllcache\loop.sys
2009-03-12 18:17 9,216 ac------ c:\windows\system32\dllcache\iwrps.dll
2009-03-12 18:16 38,528 ac------ c:\windows\system32\dllcache\ibmvcap.sys
2009-03-12 18:15 322,432 ac------ c:\windows\system32\dllcache\g400m.sys
2009-03-12 18:14 72,192 ac------ c:\windows\system32\dllcache\es1969.sys
2009-03-12 18:13 102,484 ac------ c:\windows\system32\dllcache\digiinf.dll
2009-03-12 18:12 20,736 ac------ c:\windows\system32\dllcache\cmbp0wdm.sys
2009-03-12 18:11 66,082 ac------ c:\windows\system32\dllcache\c_20280.nls
2009-03-12 18:10 26,624 ac------ c:\windows\system32\dllcache\ativxbar.sys
2009-03-12 18:09 747,392 ac------ c:\windows\system32\dllcache\adm8830.sys
2009-03-12 18:08 6,144 ac------ c:\windows\system32\dllcache\ftpsapi2.dll
2009-03-12 18:08 94,720 ac------ c:\windows\system32\dllcache\certmap.ocx
2009-03-09 23:32 <DIR> --d----- C:\662037fdad3285a66a1007ce4e2080
2009-03-09 23:07 <DIR> --d----- C:\55efaad3bcd3763dbf82cb12e141
2009-03-09 23:07 <DIR> --d----- C:\3906543a9b15a59258e2
2009-02-27 16:44 192,512 a------- c:\windows\system32\kdfvmgr.exe
2009-02-27 16:44 77,824 a------- c:\windows\system32\kdfapi.dll
2009-02-27 16:44 53,248 a------- c:\windows\system32\Kdfhok.dll
2009-02-27 16:44 387,288 a------- c:\windows\system32\kdfmgr.exe
2009-02-27 16:44 <DIR> --d----- c:\windows\kdefense
2009-02-27 16:44 475,872 a------- c:\windows\system32\kdfinj.dll
2009-02-26 22:49 <DIR> --d----- c:\windows\LocalSSL
2009-02-26 22:47 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-02-26 22:47 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-02-26 22:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2009-02-26 22:44 <DIR> --d----- c:\program files\Trend Micro
2009-02-26 21:22 <DIR> --d----- c:\docume~1\janet\applic~1\Malwarebytes
2009-02-26 21:22 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-26 21:22 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-26 21:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-26 21:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-26 20:36 661,808 a------- c:\windows\system32\UfWSC.cpl
2009-02-26 20:35 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-02-26 20:35 335,376 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-02-26 20:35 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-02-26 20:35 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-02-26 20:35 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys

==================== Find3M ====================

2009-03-03 03:34 150,032 a------- c:\windows\system32\drivers\tmcomm.sys
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-05 17:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-02-01 00:04 783 a------- c:\program files\setuplog.txt
2008-02-01 00:04 12,866 a------- c:\program files\uninstal.log
2008-08-17 21:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081720080818\index.dat

============= FINISH: 19:08:54.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:08:36 AM

Posted 04 April 2009 - 05:01 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 toolu

toolu
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 08 April 2009 - 08:36 PM

The first link for DDS.com says that it is broken. I used the third link to create the attached files. Here is the text from the second DDS.txt file. I will also attach the second attach file as Attach2.zip. Thank you for your help.

Sincerely,

toolu

DDS (Ver_09-03-16.01) - NTFSx86
Run by Janet at 19:54:06.16 on Wed 04/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.124 [GMT -5:00]

AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Documents and Settings\Janet\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: XBTP01640 Class: {8b4f961f-0b84-4201-bbb1-34e45368f39e} - c:\progra~1\wow\tbu01842\WOWTOO~1.DLL
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
TB: {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.adobe.com/shockwave/welcome/"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLPSP] "c:\program files\dell printers\additional color laser software\status monitor\DLPSP.EXE"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\janet\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\micros~2\office\1033\phdintl.dll/phdContext.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2}
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} - hxxp://billing-b.mhi.aol.com/netagent/objects/custappx2.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136916239215
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223955456128
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38054.8553587963
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\janeteudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2007-2-26 135168]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [2009-2-26 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-2-26 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-2-26 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-2-26 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-2-26 677128]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-18 24652]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-2-26 335376]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2004-11-1 26488]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2007-12-9 22136]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-8 33752]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-1-17 166656]

=============== Created Last 30 ================

2009-04-08 19:32 142 a------- c:\windows\system32\spupdsvc.inf
2009-04-01 03:01 <DIR> --d----- c:\windows\system32\KB905474
2009-03-24 09:51 <DIR> --d----- c:\program files\Secunia
2009-03-24 09:02 <DIR> --d----- c:\windows\pss
2009-03-24 06:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys
2009-03-23 23:20 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-03-23 23:19 <DIR> --d----- c:\program files\MSECACHE
2009-03-22 21:50 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-22 21:50 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-15 16:14 <DIR> --d----- c:\docume~1\janet\applic~1\Qualcomm
2009-03-13 23:49 <DIR> --d----- c:\windows\system32\LogFiles
2009-03-12 23:42 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-12 18:28 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-03-12 18:28 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-03-12 18:28 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-03-12 18:28 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-03-12 18:28 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-03-12 18:28 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2009-03-12 18:28 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-03-12 18:28 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2009-03-12 18:28 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2009-03-12 18:28 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2009-03-12 18:28 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2009-03-12 18:26 24,576 ac------ c:\windows\system32\dllcache\viairda.sys
2009-03-12 18:25 138,528 ac------ c:\windows\system32\dllcache\tgiulnt5.sys
2009-03-12 18:24 12,288 ac------ c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2009-03-12 18:23 6,912 ac------ c:\windows\system32\dllcache\seaddsmc.sys
2009-03-12 18:22 41,472 ac------ c:\windows\system32\dllcache\qvusd.dll
2009-03-12 18:21 14,336 ac------ c:\windows\system32\dllcache\padrs412.dll
2009-03-12 18:20 91,488 ac------ c:\windows\system32\dllcache\n9i3disp.dll
2009-03-12 18:19 35,200 ac------ c:\windows\system32\dllcache\msgame.sys
2009-03-12 18:18 4,992 ac------ c:\windows\system32\dllcache\loop.sys
2009-03-12 18:17 9,216 ac------ c:\windows\system32\dllcache\iwrps.dll
2009-03-12 18:16 38,528 ac------ c:\windows\system32\dllcache\ibmvcap.sys
2009-03-12 18:15 322,432 ac------ c:\windows\system32\dllcache\g400m.sys
2009-03-12 18:14 72,192 ac------ c:\windows\system32\dllcache\es1969.sys
2009-03-12 18:13 102,484 ac------ c:\windows\system32\dllcache\digiinf.dll
2009-03-12 18:12 20,736 ac------ c:\windows\system32\dllcache\cmbp0wdm.sys
2009-03-12 18:11 66,082 ac------ c:\windows\system32\dllcache\c_20280.nls
2009-03-12 18:10 26,624 ac------ c:\windows\system32\dllcache\ativxbar.sys
2009-03-12 18:09 747,392 ac------ c:\windows\system32\dllcache\adm8830.sys
2009-03-12 18:08 6,144 ac------ c:\windows\system32\dllcache\ftpsapi2.dll
2009-03-12 18:08 94,720 ac------ c:\windows\system32\dllcache\certmap.ocx
2009-03-10 22:18 934,792 -c------ c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -c------ c:\windows\system32\dllcache\wgaLogon.dll
2009-03-10 22:18 239,496 -------- c:\windows\system32\SET2A7.tmp
2009-03-09 23:32 <DIR> --d----- C:\662037fdad3285a66a1007ce4e2080
2009-03-09 23:07 <DIR> --d----- C:\55efaad3bcd3763dbf82cb12e141
2009-03-09 23:07 <DIR> --d----- C:\3906543a9b15a59258e2

==================== Find3M ====================

2009-04-08 16:52 192,512 a------- c:\windows\system32\kdfvmgr.exe
2009-04-08 16:52 77,824 a------- c:\windows\system32\kdfapi.dll
2009-04-08 16:52 387,288 a------- c:\windows\system32\kdfmgr.exe
2009-04-08 16:27 53,248 a------- c:\windows\system32\Kdfhok.dll
2009-03-22 21:34 475,872 a------- c:\windows\system32\kdfinj.dll
2009-03-05 21:17 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-03-05 21:17 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-03-05 21:17 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-03-03 18:12 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-03-03 04:08 335,376 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-03-03 03:34 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-03-03 03:34 150,032 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-03 03:34 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-02-01 00:04 783 a------- c:\program files\setuplog.txt
2008-02-01 00:04 12,866 a------- c:\program files\uninstal.log
2008-08-17 21:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081720080818\index.dat

============= FINISH: 19:55:23.71 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 AM

Posted 10 April 2009 - 10:05 AM

Hello.

The logs look malware free.

We'll try using HijackThis next round to disable some startup items.

ViewPoint Programs
I see that you have a ViewPoint program on your computer. Viewpoint, Viewpoint Manager, Viewpoint Media Player are installed on your computer without your permission, but does not do anything "bad", and are thus considered foistware.

I would suggest that you uninstall these using Add/Remove Programs.


Download, Install, and Save Log with HijackThis
  • Download the installer HERE onto your desktop and double click it.
  • You may be asked for confirmation for running an executable file. Select Run.
  • You will be asked choose the install location. Please leave it at the default:
    C:\Program Files\Trend Micro\HijackThis.
  • Select Install.
  • The installation process should only take a few seconds. A shortcut named HijackThis will be created on your desktop so there will be no need to access the HijackThis program directly. The HijackThis window will pop-up after the installation.
  • Click Do a System Scan and Save a Log File.
  • The scan will complete in a moment and the log will pop-up.
  • Copy the contents of the log into your next post.

Please give me an update on the symptoms.

Are items still being detected in scans? If so, which?

With Regards,
The Panda

#5 toolu

toolu
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 13 April 2009 - 08:42 AM

Thank you for your help.

I uninstalled Viewpoint Manager from Add/Remove Programs.

The computer continues to act as if it is under a very heavy load. Any task seems to take 4 to 8 times as long as with my Dad's computer on the same network. The current scans seem to come up with ther following Viruses in Quarantine: MPT_TEST_info.exe, FCpred.jar-10f0c63b-74c73c24.zip, A0486458.exe, A048124.exe. Spyware that shows up is Adware_MemWatcher, ADW_SOFTOMATE.DO, bs.serving-sys{2}.txt, msnportal.112.2o7{1}.txt and serving-sys{1}.txt

Attached is the HiJack This Log you requested.

Thank you for your help.

Sincerely,

toolu


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:49 AM, on 4/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: XBTP01640 - {8B4F961F-0B84-4201-BBB1-34E45368F39E} - C:\PROGRA~1\WOW\tbu01842\WOWTOO~1.DLL (file missing)
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.adobe.com/shockwave/welcome/"
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: WOW! Toolbar - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - (no file)
O9 - Extra 'Tools' menuitem: WOW! Toolbar - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://billing-b.mhi.aol.com/netagent/objects/custappx2.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136916239215
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1223955456128
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 12385 bytes

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 AM

Posted 13 April 2009 - 08:59 AM

Hello toolu.

Were the items detected in quarentine before the scan, or just detected?

Use HijackThis to Remove Uneeded Startup Entries
Programs that run automatically at startup can take up memory, causing your computer to be slow. Many of these entries are not needed.

Below is a list of entries in your HijackThis log that can be removed safely. Below each entry, you will find a brief description of it. Some are up to preference.

To remove entries you do not want, open HijackThis (if you are using Windows Vista, right click the icon and select Run As Administrator), select "Do a system scan only", put a check mark next to those entries and select "Fix checked".

If you experience any issues after removing any items, use the Backup feature to restore the items.

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
Only check off the above entry if you do not use an iPod.
O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe

Restart your comptuer and take a new DDS.txt log please.

Any improvement?

With Regards,
The Panda

#7 toolu

toolu
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 13 April 2009 - 11:59 PM

Propaganda Panda,

Thank you again for your help.

The Quarantined items were all quarantined prior to the HiJack this scan.

After removing the Viewpoint Manager the computer was running notieably faster, while still running painfully slow.

The computer is an AMD Athlon 2400+ 2.0GHz 512 MB RAM running Windows XP Pro. My mother uses it for email, the web and downloading pictures from her camera. The computer should not be this slow.

I Applied the HIJack fix as specified. Java then downloaded an update to v13. The update took 5 minutes to load and install. When run earlier on a laptop on an extremely slow network, the same process was completed in under 1 minute. I verified the install at Java.com after the reboot. The computer has a hard time opening the MSN home page, slightly over 2 minutes, the same home page opens almost instantly on my father's computer which is a slightly better machine.

When I run the scans on the computer I select the hard drive only but the floppy drive will also spin up as if it is being scanned during the scan process.

Attached is the latest DDS file

DDS (Ver_09-03-16.01) - NTFSx86
Run by Janet at 23:50:20.71 on Mon 04/13/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.274 [GMT -5:00]

AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Documents and Settings\Janet\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: XBTP01640 Class: {8b4f961f-0b84-4201-bbb1-34e45368f39e} - c:\progra~1\wow\tbu01842\WOWTOO~1.DLL
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
TB: {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\micros~2\office\1033\phdintl.dll/phdContext.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2}
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} - hxxp://billing-b.mhi.aol.com/netagent/objects/custappx2.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136916239215
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223955456128
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38054.8553587963
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\janeteudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2007-2-26 135168]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [2009-2-26 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-2-26 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-2-26 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-2-26 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-2-26 677128]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-2-26 335376]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2007-12-9 22136]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-8 33752]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-1-17 166656]

=============== Created Last 30 ================

2009-03-24 09:51 <DIR> --d----- c:\program files\Secunia
2009-03-24 09:02 <DIR> --d----- c:\windows\pss
2009-03-24 06:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys
2009-03-23 23:20 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-03-23 23:19 <DIR> --d----- c:\program files\MSECACHE
2009-03-22 21:50 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-22 21:50 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-15 16:14 <DIR> --d----- c:\docume~1\janet\applic~1\Qualcomm

==================== Find3M ====================

2009-04-13 23:37 192,512 a------- c:\windows\system32\kdfvmgr.exe
2009-04-13 23:37 77,824 a------- c:\windows\system32\kdfapi.dll
2009-04-13 23:37 53,248 a------- c:\windows\system32\Kdfhok.dll
2009-04-13 23:37 387,288 a------- c:\windows\system32\kdfmgr.exe
2009-03-22 21:34 475,872 a------- c:\windows\system32\kdfinj.dll
2009-03-05 21:17 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-03-05 21:17 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-03-05 21:17 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-03-03 18:12 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-03-03 04:08 335,376 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-03-03 03:34 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-03-03 03:34 150,032 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-03 03:34 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-02-01 00:04 783 a------- c:\program files\setuplog.txt
2008-02-01 00:04 12,866 a------- c:\program files\uninstal.log
2008-08-17 21:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081720080818\index.dat

============= FINISH: 23:51:33.39 ===============

Thank you.

Sincerely,

toolu

Attached Files



#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 AM

Posted 14 April 2009 - 07:17 AM

Hello.

Let's see if any processes are taking too much CPU.

Open the Task Manager by hitting Ctrl+Alt+Del.
Select the Processes tab.
Take note of any processes taking high amounts of CPU.

Let's get a rootkit scan just in case.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.


With Regards,
The Panda

Edited by PropagandaPanda, 14 April 2009 - 07:18 AM.


#9 toolu

toolu
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 15 April 2009 - 11:01 PM

PropagandaPanda,

After I sent the last post I left the scan running. The computer installed a microsoft update, rebooted and came up with a Disk Boot Failure. The system was trying to boot off the network/internet. I restarted went into the bios and the hard drive was not shown. I shut the computer down with the power off. I returned today turned the computer on and it booted up fine but still slow. I did not have time to take care of your latest instructions because we leave on Spring break tomorrow am. I will get back to you on Monday.

Thank you again for your help.

Sincerely,

toolu

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 AM

Posted 16 April 2009 - 07:13 AM

Okay.

Not sure what caused that.

The Panda

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 AM

Posted 25 April 2009 - 09:53 AM

Hello.

If you are still here, please respond to this topic.

If there is not reply within 5 days of this post, this topic may be closed.

With Regards,
The Panda

Edited by PropagandaPanda, 25 April 2009 - 09:55 AM.


#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 AM

Posted 12 May 2009 - 07:13 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users