Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with roytctm.exe


  • This topic is locked This topic is locked
9 replies to this topic

#1 kk_wenz

kk_wenz

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 28 March 2009 - 11:20 PM

Hi,

I am using Trend Micro Internet Security 2009. When I am browsing, almost every new page I open, also generates a new page with the message "This Web page has been identified as Dangerous". In addition, Trend Micro pops up with a message every 3 or 4 minutes saying that it has blocked a suspicious program named roytctm.exe from running.

I chatted with a Trend Micro supoort person earlier today and he had me download and run a program called System Cleaner, but afterwards the same 2 symptoms I described above, have returned.

Let me say Thank You very much for your help !

Glen (aka kk_wenz)

Here is my DDS.txt report:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Tim at 23:59:52.50 on Sat 03/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.107 [GMT -4:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Tim\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: {b51d43eb-3601-4f0e-89ec-fba13ad77699} - c:\windows\system32\pipibuju.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [dlbxmon.exe] "c:\program files\dell photo aio printer 962\dlbxmon.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [DLBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBXtime.dll,_RunDLLEntry@16
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Window UDP Control Servic] winlogon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [podimamomu] Rundll32.exe "c:\windows\system32\fusigoka.dll",s
mRun: [Mpijedigojer] rundll32.exe "c:\windows\udavabupiceric.dll",e
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [a8cdd69e] rundll32.exe "c:\windows\system32\hesanebo.dll",b
dRun: [A00F1C19C9.exe] c:\windows\temp\_A00F1C19C9.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - hxxps://employees.cpr.ca/vdesk/cachecleaner.cab#version=6020,2008,0212,2003
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://employees.cpr.ca/vdesk/terminal/InstallerControl.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: igfxcui - igfxdev.dll
Notify: __c0083D61 - c:\windows\system32\__c0083D61.dat
AppInit_DLLs: c:\windows\system32\midamuhi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli c:\windows\system32\midamuhi.dll

============= SERVICES / DRIVERS ===============

R2 afisicx;afisicx Service;c:\windows\system32\afisicx.exe [2004-8-4 182272]
R2 mabidwe;mabidwe Service;c:\windows\system32\mabidwe.exe [2004-8-4 183296]
R2 noytcyr;noytcyr Service;c:\windows\system32\noytcyr.exe [2004-8-4 182784]
R2 roytctm;roytctm Service;c:\windows\system32\roytctm.exe [2004-8-4 182272]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 182272]
R2 tdydowkc;tdydowkc Service;c:\windows\system32\tdydowkc.exe [2004-8-4 182784]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-3-22 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-3-22 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-3-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-3-22 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-3-22 335376]
S2 WSCS;Windows Server Colocation Service;c:\windows\system32\wscs.exe --> c:\windows\system32\wscs.exe [?]
S2 wsldoekd;wsldoekd Service;c:\windows\system32\wsldoekd.exe [2004-8-4 182784]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-6-29 33808]
S4 soxpeca;soxpeca Service; [x]

============== File Associations ===============

txtfile="c:\windows\system32\nxtepad.exe" "%1"

=============== Created Last 30 ================

2009-03-28 23:28 <DIR> --d----- c:\docume~1\tim\applic~1\Windows Search
2009-03-28 16:26 <DIR> --d----- c:\temp\System Cleaner
2009-03-28 15:50 174,080 a------- c:\windows\system32\tmp4_499262570338.bk
2009-03-28 15:50 174,080 a------- c:\windows\system32\tmp3_668748137512.bk
2009-03-28 15:50 174,080 a------- c:\windows\system32\tmp2_550278513730.bk
2009-03-28 15:50 174,080 a------- c:\windows\system32\tmp1_69531788181.bk
2009-03-28 15:49 174,080 a------- c:\windows\system32\tmp0_203103274077.bk
2009-03-28 15:49 174,592 a------- c:\windows\system32\tmp4_454466889214.bk
2009-03-28 15:49 174,592 a------- c:\windows\system32\tmp3_267577146069.bk
2009-03-28 15:49 36,864 a------- c:\windows\system32\tmp4_221167841864.bk
2009-03-28 15:49 174,592 a------- c:\windows\system32\tmp2_101468149806.bk
2009-03-28 15:49 36,864 a------- c:\windows\system32\tmp3_746089639463.bk
2009-03-28 15:49 174,592 a------- c:\windows\system32\tmp1_81206199719.bk
2009-03-28 15:49 36,864 a------- c:\windows\system32\tmp2_235111791115.bk
2009-03-28 15:49 174,592 a------- c:\windows\system32\tmp0_655808501172.bk
2009-03-28 15:49 36,864 a------- c:\windows\system32\tmp1_708428647788.bk
2009-03-28 15:49 36,864 a------- c:\windows\system32\tmp0_788126476277.bk
2009-03-28 15:47 3,282,541 ---sh--- c:\windows\system32\obenaseh.ini
2009-03-25 00:41 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-03-24 19:58 <DIR> --d----- c:\program files\AutoRuns
2009-03-22 18:35 150,032 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-22 18:35 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-03-22 18:35 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-03-22 18:29 46,456 a----r-- c:\windows\system32\exitwx.exe
2009-03-22 18:27 661,808 a------- c:\windows\system32\UfWSC.cpl
2009-03-22 18:26 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-03-22 18:26 335,376 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-03-22 18:26 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-03-22 18:26 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-03-22 18:26 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-03-22 17:27 133,120 a------- c:\windows\udavabupiceric.dll
2009-03-22 17:01 40,960 a------- c:\windows\system32\kuzDeccode.exe
2009-03-22 16:46 24,576 a------- c:\windows\system32\__c0083D61.dat
2009-03-22 16:31 47,616 a------- c:\windows\system32\ptch238120.exe
2009-03-22 08:27 24,576 a------- c:\windows\system32\wsaupdater.exe
2009-03-22 08:27 24,576 a------- c:\windows\system32\userinit.exe
2009-03-13 01:59 49,152 a------- c:\windows\system32\senekaesrtlemx.dll
2009-03-13 01:17 74,627,288 a------- C:\TrendMicro_TIS_17.10_en-US_32-bit.exe
2009-03-13 00:43 31,744 a------- c:\windows\system32\303369.exe
2009-03-13 00:29 197 a------- c:\windows\system32\xcchit32.ini
2009-03-13 00:28 251,392 a------- c:\windows\xccdf32_090305a.dll
2009-03-13 00:28 130,204 a------- c:\windows\system\xccef090305.exe
2009-03-13 00:28 560 a------- c:\windows\xccwinsys.ini
2009-03-13 00:28 <DIR> --d----- c:\windows\system32\inf
2009-03-13 00:28 130,204 a------- c:\windows\system32\icv.exe
2009-03-03 15:07 4,785 a------- c:\windows\system32\warning.gif
2009-03-03 10:49 <DIR> --d----- c:\windows\system32\log
2009-02-27 10:44 6,144 a------- c:\windows\system32\bleepzango.exe
2009-02-27 10:44 8 a------- c:\windows\system32\comsa32.sys

==================== Find3M ====================

2009-03-28 15:47 79,872 a--sh--- c:\windows\system32\hesanebo.dll
2009-03-24 18:48 0 a------- c:\windows\system32\drivers\senekafuwbnmyc.sys
2009-03-24 16:33 106,475 a------- c:\windows\system32\senekapakmfxjc.dat
2009-03-24 16:32 5,982 a--sh--- c:\windows\system32\jejuvusu.dll
2009-03-24 16:32 5,982 a--sh--- c:\windows\system32\bihomojo.dll
2009-03-22 18:42 10,752 a------- c:\windows\DCEBoot.exe
2009-03-22 16:37 5,799 a--sh--- c:\windows\system32\zowirewa.dll
2009-03-22 16:37 5,799 a--sh--- c:\windows\system32\wewidilu.dll
2009-02-21 17:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-14 13:03 0 a------- c:\windows\system32\drivers\seneka.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 20:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-29 18:56 0 a------- c:\docume~1\tim\applic~1\wklnhst.dat
2008-08-07 13:58 20,328 a------- c:\docume~1\tim\applic~1\GDIPFONTCACHEV1.DAT
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\fusigoka.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\midamuhi.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\pipibuju.dll

============= FINISH: 0:01:39.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:04 AM

Posted 06 April 2009 - 05:42 PM

Hello,

I apologize for the delay in response, we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know. As its been a while since you posted your log, I will need an updated one.

Please take a look at the Preparation Guide for a download link to DDS and instructions on how you should ask for help.

Thanks and again sorry for the delay.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 kk_wenz

kk_wenz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 08 April 2009 - 12:25 AM

Hi Jat90,

Thanks very much for your reply! I was just about to go to bed, but thought I would check my post. I'm sorry I will not be able to send you the updated log files tonight, but will do so tomorrow evening when I get home from work. Thanks again.

Glen

PS: There is absolutely no need for you guys (and gals) to apologize for delays in responding. It's obvious how busy you must be, given all of the seemingly never-ending stream of new posts. You deserve a big THANK YOU from all of us ! glen

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:04 AM

Posted 08 April 2009 - 06:18 AM

Thats not a problem :thumbup2:

Thanks.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 kk_wenz

kk_wenz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 08 April 2009 - 09:34 PM

Hi Jat90,

Here is my DDS.txt report and the zipped Attach.txt log is attached. Thank you ...

Glen


DDS (Ver_09-03-16.01) - NTFSx86
Run by Tim at 22:19:27.03 on Wed 04/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.124 [GMT -4:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Outdated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\roytctm.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\tdctxte.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Tim\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: {b51d43eb-3601-4f0e-89ec-fba13ad77699} - c:\windows\system32\pipibuju.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [dlbxmon.exe] "c:\program files\dell photo aio printer 962\dlbxmon.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [DLBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBXtime.dll,_RunDLLEntry@16
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Window UDP Control Servic] winlogon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [podimamomu] Rundll32.exe "c:\windows\system32\fusigoka.dll",s
mRun: [Mpijedigojer] rundll32.exe "c:\windows\udavabupiceric.dll",e
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [a8cdd69e] rundll32.exe "c:\windows\system32\hesanebo.dll",b
dRun: [A00F1C19C9.exe] c:\windows\temp\_A00F1C19C9.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - hxxps://employees.cpr.ca/vdesk/cachecleaner.cab#version=6020,2008,0212,2003
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://employees.cpr.ca/vdesk/terminal/InstallerControl.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: igfxcui - igfxdev.dll
Notify: __c0083D61 - c:\windows\system32\__c0083D61.dat
AppInit_DLLs: c:\windows\system32\midamuhi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli c:\windows\system32\midamuhi.dll

============= SERVICES / DRIVERS ===============

R2 roytctm;roytctm Service;c:\windows\system32\roytctm.exe [2004-8-4 182272]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 182272]
R2 tdctxte;tdctxte Service;c:\windows\system32\tdctxte.exe [2004-8-4 174080]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-3-22 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-3-22 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-3-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-3-22 677128]
R2 wsldoekd;wsldoekd Service;c:\windows\system32\wsldoekd.exe [2004-8-4 182784]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-3-22 335376]
S2 afisicx;afisicx Service;c:\windows\system32\afisicx.exe [2004-8-4 182272]
S2 mabidwe;mabidwe Service;c:\windows\system32\mabidwe.exe [2004-8-4 183296]
S2 noytcyr;noytcyr Service;c:\windows\system32\noytcyr.exe [2004-8-4 182784]
S2 tdydowkc;tdydowkc Service;c:\windows\system32\tdydowkc.exe [2004-8-4 182784]
S2 WSCS;Windows Server Colocation Service;c:\windows\system32\wscs.exe --> c:\windows\system32\wscs.exe [?]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-6-29 33808]
S4 soxpeca;soxpeca Service; [x]

============== File Associations ===============

txtfile="c:\windows\system32\nxtepad.exe" "%1"

=============== Created Last 30 ================

2009-03-29 00:08 <DIR> --d----- c:\program files\IZArc
2009-03-28 23:28 <DIR> --d----- c:\docume~1\tim\applic~1\Windows Search
2009-03-28 16:26 <DIR> --d----- c:\temp\System Cleaner
2009-03-28 15:50 174,080 a------- c:\windows\system32\tmp4_499262570338.bk
2009-03-28 15:50 174,080 a------- c:\windows\system32\tmp3_668748137512.bk
2009-03-28 15:50 174,080 a------- c:\windows\system32\tmp2_550278513730.bk
2009-03-28 15:50 174,080 a------- c:\windows\system32\tmp1_69531788181.bk
2009-03-28 15:49 174,080 a------- c:\windows\system32\tmp0_203103274077.bk
2009-03-28 15:49 174,592 a------- c:\windows\system32\tmp4_454466889214.bk
2009-03-28 15:49 174,592 a------- c:\windows\system32\tmp3_267577146069.bk
2009-03-28 15:49 36,864 a------- c:\windows\system32\tmp4_221167841864.bk
2009-03-28 15:49 174,592 a------- c:\windows\system32\tmp2_101468149806.bk
2009-03-28 15:49 36,864 a------- c:\windows\system32\tmp3_746089639463.bk
2009-03-28 15:49 174,592 a------- c:\windows\system32\tmp1_81206199719.bk
2009-03-28 15:49 36,864 a------- c:\windows\system32\tmp2_235111791115.bk
2009-03-28 15:49 174,592 a------- c:\windows\system32\tmp0_655808501172.bk
2009-03-28 15:49 36,864 a------- c:\windows\system32\tmp1_708428647788.bk
2009-03-28 15:49 36,864 a------- c:\windows\system32\tmp0_788126476277.bk
2009-03-28 15:47 3,282,541 ---sh--- c:\windows\system32\obenaseh.ini
2009-03-25 00:41 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-03-24 19:58 <DIR> --d----- c:\program files\AutoRuns
2009-03-22 18:35 150,032 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-22 18:35 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-03-22 18:35 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-03-22 18:29 46,456 a----r-- c:\windows\system32\exitwx.exe
2009-03-22 18:27 661,808 a------- c:\windows\system32\UfWSC.cpl
2009-03-22 18:26 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-03-22 18:26 335,376 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-03-22 18:26 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-03-22 18:26 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-03-22 18:26 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-03-22 17:27 133,120 a------- c:\windows\udavabupiceric.dll
2009-03-22 17:01 40,960 a------- c:\windows\system32\kuzDeccode.exe
2009-03-22 16:46 24,576 a------- c:\windows\system32\__c0083D61.dat
2009-03-22 16:31 47,616 a------- c:\windows\system32\ptch238120.exe
2009-03-22 08:27 24,576 a------- c:\windows\system32\wsaupdater.exe
2009-03-22 08:27 24,576 a------- c:\windows\system32\userinit.exe
2009-03-13 01:59 49,152 a------- c:\windows\system32\senekaesrtlemx.dll
2009-03-13 01:17 74,627,288 a------- C:\TrendMicro_TIS_17.10_en-US_32-bit.exe
2009-03-13 00:43 31,744 a------- c:\windows\system32\303369.exe
2009-03-13 00:29 197 a------- c:\windows\system32\xcchit32.ini
2009-03-13 00:28 251,392 a------- c:\windows\xccdf32_090305a.dll
2009-03-13 00:28 130,204 a------- c:\windows\system\xccef090305.exe
2009-03-13 00:28 560 a------- c:\windows\xccwinsys.ini
2009-03-13 00:28 <DIR> --d----- c:\windows\system32\inf
2009-03-13 00:28 130,204 a------- c:\windows\system32\icv.exe

==================== Find3M ====================

2009-03-28 15:47 79,872 a--sh--- c:\windows\system32\hesanebo.dll
2009-03-24 18:48 0 a------- c:\windows\system32\drivers\senekafuwbnmyc.sys
2009-03-24 16:33 106,475 a------- c:\windows\system32\senekapakmfxjc.dat
2009-03-24 16:32 5,982 a--sh--- c:\windows\system32\jejuvusu.dll
2009-03-24 16:32 5,982 a--sh--- c:\windows\system32\bihomojo.dll
2009-03-22 18:42 10,752 a------- c:\windows\DCEBoot.exe
2009-03-22 16:37 5,799 a--sh--- c:\windows\system32\zowirewa.dll
2009-03-22 16:37 5,799 a--sh--- c:\windows\system32\wewidilu.dll
2009-02-26 04:14 6,144 a------- c:\windows\system32\bleepzango.exe
2009-02-21 17:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-14 13:03 0 a------- c:\windows\system32\drivers\seneka.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 20:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-29 18:56 0 a------- c:\docume~1\tim\applic~1\wklnhst.dat
2008-08-07 13:58 20,328 a------- c:\docume~1\tim\applic~1\GDIPFONTCACHEV1.DAT
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\fusigoka.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\midamuhi.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\pipibuju.dll

============= FINISH: 22:21:57.15 ===============

Attached Files



#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:04 AM

Posted 09 April 2009 - 05:49 AM

Hello,

There is quite a lot of malware present on this machine. Try to limit your internet access while we try and clean it.

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 kk_wenz

kk_wenz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 10 April 2009 - 12:41 AM

Hi Jat90,

I have another PC that I know is not infected, so I used it to download ComboFix onto a flash drive (I'm also using that other PC to send my replies to you, to minimize my Internet usage on the infected PC).

I then switched to the other PC and dragged CF to the desktop. I then turned off the Trend Micro firewall and it's other protections. Then started CF. It brought up the blue DOS screen saying "Please wait. CF is preparing to run." However another box then came up saying "Error - Win32 only. Incompatible OS. CF only works with Windows 2000 and Windows XP."

It then brought up another box asking me for permission to run CF. I clicked ok, and then waited. The CF blue DOS box was still there, but after about 5 minutes, nothing seemed to be happening. I checked Task Manager and sorted the Processes screen according to CPU usage. These 3 programs kept appearing and taking CPU cycles: dlbxcoms.exe , TMBSSRV.exe and jqs.exe

It just dawned on me that TMBSSRV.exe is likely a Trend Micro program (a Google search just confirmed that), so maybe I wasn't successful in turning Trend Micro completely off.

I shut the machine off and re-tried the process, but the same things happened. Thanks ...

Glen

#8 kk_wenz

kk_wenz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 10 April 2009 - 11:32 AM

Hi Jat90,

I have good news. I did a Google search for how to disable Trend Micro and found I could do that by double-clicking on the icon in the system tray and choosing "Exit". After I did that, I tried to run ComboFix (CF) and this time it worked. It installed the Recovery Console software and then scanned the machine, removing what looked like a lot of files.

After it finished, I re-enabled Trend Micro and all of those warning messages that it was giving about blocking suspicious programs have gone away !

The ComboFix log file is attached below. Does this mean we've been successful ? That would surely be the cat's meow !! Thanks Jat90 !

Glen

ComboFix 09-04-04.01 - Tim 2009-04-10 12:01:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.192 [GMT -4:00]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\__c0083D61.dat
c:\windows\system32\303369.exe
c:\windows\system32\afisicx.exe
c:\windows\system32\comsa32.sys
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekafuwbnmyc.sys
c:\windows\system32\inf\rundll33.exe
c:\windows\system32\inf\xccdfb16_090305.dll
c:\windows\system32\inf\xccefb090305.scr
c:\windows\system32\Install.txt
c:\windows\system32\mabidwe.exe
c:\windows\system32\midamuhi.dll
c:\windows\system32\noytcyr.exe
c:\windows\system32\obenaseh.ini
c:\windows\system32\roytctm.exe
c:\windows\system32\senekaesrtlemx.dll
c:\windows\system32\senekapakmfxjc.dat
c:\windows\system32\senekawkbxvbrn.dat
c:\windows\system32\sopidkc.exe
c:\windows\system32\tdctxte.exe
c:\windows\system32\tdydowkc.exe
c:\windows\system32\tmp0_203103274077.bk
c:\windows\system32\tmp0_655808501172.bk
c:\windows\system32\tmp0_788126476277.bk
c:\windows\system32\tmp1_69531788181.bk
c:\windows\system32\tmp1_708428647788.bk
c:\windows\system32\tmp1_81206199719.bk
c:\windows\system32\tmp2_101468149806.bk
c:\windows\system32\tmp2_235111791115.bk
c:\windows\system32\tmp2_550278513730.bk
c:\windows\system32\tmp3_267577146069.bk
c:\windows\system32\tmp3_668748137512.bk
c:\windows\system32\tmp3_746089639463.bk
c:\windows\system32\tmp4_221167841864.bk
c:\windows\system32\tmp4_454466889214.bk
c:\windows\system32\tmp4_499262570338.bk
c:\windows\system32\tpszxyd.sys
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winlogon2.exe
c:\windows\system32\wsldoekd.exe
c:\windows\system32\xcchit32.ini
c:\windows\udavabupiceric.dll
c:\windows\xccdf32_090305a.dll
c:\windows\xccwinsys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_ROYTCTM
-------\Legacy_SOPIDKC
-------\Legacy_SOXPECA
-------\Legacy_TDCTXTE
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_noytcyr
-------\Service_roytctm
-------\Service_seneka
-------\Service_sopidkc
-------\Service_soxpeca
-------\Service_tdctxte
-------\Service_tdydowkc
-------\Service_wsldoekd


((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-10 01:15 . 2006-03-03 00:42 73,728 --a------ C:\pv.exe
2009-03-29 00:08 . 2009-03-29 00:08 <DIR> d-------- c:\program files\IZArc
2009-03-28 23:28 . 2009-03-28 23:28 <DIR> d-------- c:\documents and settings\Tim\Application Data\Windows Search
2009-03-28 16:26 . 2009-03-28 16:26 <DIR> d-------- c:\temp\System Cleaner
2009-03-25 00:41 . 2009-03-25 00:43 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-03-24 19:58 . 2009-03-24 19:58 <DIR> d-------- c:\program files\AutoRuns
2009-03-22 18:35 . 2009-03-22 18:26 150,032 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-22 18:35 . 2009-03-22 18:26 50,192 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-03-22 18:35 . 2009-03-22 18:26 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-03-22 18:29 . 2008-10-21 13:59 46,456 -ra------ c:\windows\system32\exitwx.exe
2009-03-22 18:27 . 2009-03-22 18:27 661,808 --a------ c:\windows\system32\UfWSC.cpl
2009-03-22 18:26 . 2009-03-22 18:26 1,195,512 --a------ c:\windows\system32\drivers\vsapint.sys
2009-03-22 18:26 . 2009-03-22 18:26 335,376 --a------ c:\windows\system32\drivers\TM_CFW.sys
2009-03-22 18:26 . 2009-03-22 18:26 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-03-22 18:26 . 2009-03-22 18:26 80,400 --a------ c:\windows\system32\drivers\tmtdi.sys
2009-03-22 18:26 . 2009-03-22 18:26 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-03-22 17:01 . 2009-03-22 17:01 40,960 --a------ c:\windows\system32\kuzDeccode.exe
2009-03-22 16:31 . 2009-03-22 16:31 47,616 --a------ c:\windows\system32\ptch238120.exe
2009-03-22 08:27 . 2004-08-03 20:56 24,576 --a------ c:\windows\system32\wsaupdater.exe
2009-03-22 08:27 . 2004-08-03 20:56 24,576 --a------ c:\windows\system32\userinit.exe
2009-03-13 02:08 . 2009-03-13 02:08 <DIR> d-------- c:\documents and settings\Administrator
2009-03-13 01:17 . 2009-03-13 01:18 74,627,288 --a------ C:\TrendMicro_TIS_17.10_en-US_32-bit.exe
2009-03-13 00:28 . 2009-04-10 12:01 <DIR> d-------- c:\windows\system32\inf
2009-03-13 00:28 . 2009-03-13 00:28 130,204 --a------ c:\windows\system32\icv.exe
2009-03-13 00:28 . 2009-03-13 00:28 130,204 --a------ c:\windows\system\xccef090305.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 02:25 5,982 --sha-w c:\windows\system32\jopiroka.dll
2009-04-09 02:25 5,979 --sha-w c:\windows\system32\dolaribe.dll
2009-03-28 19:47 79,872 --sha-w c:\windows\system32\hesanebo.dll
2009-03-24 20:32 5,982 --sha-w c:\windows\system32\jejuvusu.dll
2009-03-24 20:32 5,982 --sha-w c:\windows\system32\bihomojo.dll
2009-03-22 22:42 10,752 ----a-w c:\windows\DCEBoot.exe
2009-03-22 22:38 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-03-22 22:35 --------- d-----w c:\program files\Trend Micro
2009-03-22 20:37 5,799 --sha-w c:\windows\system32\zowirewa.dll
2009-03-22 20:37 5,799 --sha-w c:\windows\system32\wewidilu.dll
2009-03-13 04:17 --------- d-----w c:\program files\DL_cats
2009-03-02 01:12 1,276 ----a-w c:\documents and settings\Sidney\Application Data\wklnhst.dat
2009-03-01 20:26 --------- d-----w c:\program files\Celtx
2009-02-26 20:51 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 08:14 6,144 ----a-w c:\windows\system32\bleepzango.exe
2009-02-25 21:52 --------- d-----w c:\documents and settings\Sidney\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-02-25 21:26 --------- d-----w c:\program files\Windows Live
2009-02-24 00:39 --------- d-----w c:\program files\Google
2009-02-21 21:03 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-21 21:03 --------- d-----w c:\program files\Java
2009-02-21 00:40 --------- d-----w c:\documents and settings\Tim\Application Data\Malwarebytes
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 17:16 43,720 ----a-w c:\documents and settings\Sidney\Application Data\GDIPFONTCACHEV1.DAT
2009-02-07 00:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 23:52 49,504 ----a-w c:\windows\system32\sirenacm.dll
2009-01-29 22:56 0 ----a-w c:\documents and settings\Tim\Application Data\wklnhst.dat
2009-01-26 02:43 43,720 ----a-w c:\documents and settings\Andrew\Application Data\GDIPFONTCACHEV1.DAT
2009-01-20 23:34 224 ----a-w c:\documents and settings\Andrew\Application Data\wklnhst.dat
2009-01-16 14:12 43,136 ----a-w c:\documents and settings\Kim\Application Data\GDIPFONTCACHEV1.DAT
2008-08-07 17:58 20,328 ----a-w c:\documents and settings\Tim\Application Data\GDIPFONTCACHEV1.DAT
1601-01-01 00:12 47,616 --sha-w c:\windows\system32\fusigoka.dll
1601-01-01 00:12 47,616 --sha-w c:\windows\system32\pipibuju.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b51d43eb-3601-4f0e-89ec-fba13ad77699}]
47616 --ahs---- c:\windows\system32\pipibuju.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-07 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 425984]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2008-08-04 160800]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-21 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"podimamomu"="c:\windows\system32\fusigoka.dll" [ 47616]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-03-22 995528]
"a8cdd69e"="c:\windows\system32\hesanebo.dll" [2009-03-28 79872]
"Window UDP Control Servic"="winlogon.exe" [2008-04-13 c:\windows\system32\winlogon.exe]

c:\documents and settings\Sidney\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\midamuhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdss.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xcommsvr.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zango.exe]
"Debugger"=c:\windows\system32\bleepzango.EXE

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\midamuhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2009-02-06 19:51 3885408 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-04-07 15:19 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dlbxcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlbxPSWX.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-03-22 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-22 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-03-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-22 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-03-22 335376]
S2 WSCS;Windows Server Colocation Service;c:\windows\system32\wscs.exe --> c:\windows\system32\wscs.exe [?]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-06-29 33808]
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-A00F1C19C9.exe - c:\windows\TEMP\_A00F1C19C9.exe
Notify-__c0083D61 - c:\windows\system32\__c0083D61.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 12:07:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\dlbxcoms.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-04-10 12:13:19 - machine was rebooted [Tim]
ComboFix-quarantined-files.txt 2009-04-10 16:13:08

Pre-Run: 110,607,384,576 bytes free
Post-Run: 111,708,033,024 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

319 --- E O F --- 2009-03-13 05:58:40

#9 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:04 AM

Posted 10 April 2009 - 12:35 PM

There is still malware on your machine. Before we continue, I must warn you:

:thumbup2: Backdoor Threat

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:04 AM

Posted 14 April 2009 - 03:19 AM

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please send me a message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users