Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sadpanda


  • This topic is locked This topic is locked
4 replies to this topic

#1 Sadpandaman

Sadpandaman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 22 July 2009 - 08:21 AM

Previous topic here, which is now closed. http://www.bleepingcomputer.com/forums/ind...p;#entry1320752


Ok, now i'v run the programs u asked me to, and here is the result:
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [NeroFilterCheck] c:\program\delade filer\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program\java\jre6\bin\jusched.exe"
mRun: [UfSeAgnt.exe] "c:\program\trend micro\internet security\UfSeAgnt.exe"
mRun: [Hiyo] d:\incomplete\hiyo\bin\HiYo.exe /RunFromStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [OE] c:\program\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
IE: E&xportera till Microsoft Excel - d:\program\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\program\micros~1\office11\REFIEBAR.DLL
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program\delade~1\skype\SKYPE4~1.DLL
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\garen~1\applic~1\mozilla\firefox\profiles\63rt5kcb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aftonbladet.se/
FF - component: c:\program\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
FF - plugin: e:\voiplay\npvoiplay.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

============= SERVICES / DRIVERS ===============

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-10-8 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-10-8 335376]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2008-5-8 54432]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-6-16 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program\trend micro\internet security\TmPfw.exe [2009-6-16 497008]
S2 TmProxy;Trend Micro Proxy Service;c:\program\trend micro\internet security\TmProxy.exe [2009-6-16 677128]
S3 SIS163u;SiS163 usb Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2008-5-6 215040]

=============== Created Last 30 ================

2009-07-18 12:49 --d----- c:\windows\Left 4 Dead
2009-07-11 14:22 --d----- c:\docume~1\garen~1\applic~1\Mount&Blade
2009-07-10 16:25 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-07-10 16:08 26,295 a------- c:\windows\DIIUnin.dat
2009-07-10 16:08 94,208 a------- c:\windows\DIIUnin.exe
2009-07-10 16:08 2,829 a------- c:\windows\DIIUnin.pif
2009-07-05 17:34 --d----- c:\docume~1\garen~1\applic~1\HiYo
2009-07-05 17:34 --d----- c:\docume~1\alluse~1\applic~1\HiYo
2009-07-02 23:42 --d----- c:\docume~1\garen~1\applic~1\uTorrent
2009-06-29 13:38 --d----- c:\program\Ventrilo
2009-06-29 13:31 160,768 a------- c:\windows\system32\io.dll

==================== Find3M ====================

2009-07-22 13:10 26,738,688 a---h--- c:\documents and settings\ägaren\NTUSER.DAT
2009-07-18 12:56 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-07-18 12:54 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-19 17:55 17,480 a------- c:\windows\system32\drivers\hamachi.sys
2009-06-16 16:40 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 16:40 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 21:11 1,293,312 a------- c:\windows\system32\quartz.dll
2009-05-07 17:33 347,648 a------- c:\windows\system32\localspl.dll
2009-04-29 06:49 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 06:49 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-23 15:41 34 a------- c:\documents and settings\ägaren\jagex_runescape_preferences.dat
2008-11-01 18:43 22,328 ac------ c:\docume~1\garen~1\applic~1\PnkBstrK.sys
2008-05-08 16:23 32,768 ac-sh--- c:\windows\system32\config\systemprofile\lokala inställningar\tidigare\history.ie5\mshist012008050820080509\index.dat
2008-05-09 12:34 32,768 ac-sh--- c:\windows\system32\config\systemprofile\lokala inställningar\tidigare\history.ie5\mshist012008050920080510\index.dat

============= FINISH: 15:15:09,01 ===============
2a:
NLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 2008-05-06 10:42:49
System Uptime: 2009-07-21 17:56:56 (22 hours ago)

Motherboard: FUJITSU SIEMENS | | D2175-A1
Processor: Intel® Pentium® 4 CPU 3.60GHz | CPU | 3591/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 43 GiB total, 17,129 GiB free.
D: is FIXED (NTFS) - 189 GiB total, 159,843 GiB free.
E: is FIXED (NTFS) - 233 GiB total, 166,668 GiB free.
F: is FIXED (NTFS) - 233 GiB total, 130,88 GiB free.
G: is CDROM ()
H: is CDROM ()
I: is Removable
J: is Removable
K: is Removable
L: is Removable
M: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Fujitsu Siemens Computers WLAN 802.11b/g D1705/D1706
Device ID: USB\VID_0BF8&PID_100F\5&2A17A886&0&3
Manufacturer: Fujitsu Siemens Computers
Name: Fujitsu Siemens Computers WLAN 802.11b/g D1705/D1706
PNP Device ID: USB\VID_0BF8&PID_100F\5&2A17A886&0&3
Service: SIS163u

==== System Restore Points ===================

RP385: 2009-07-07 17:13:58 - Systemkontrollpunkt
RP386: 2009-07-09 10:28:44 - Systemkontrollpunkt
RP387: 2009-07-10 10:45:42 - Systemkontrollpunkt
RP388: 2009-07-14 15:32:56 - Systemkontrollpunkt
RP389: 2009-07-16 00:36:50 - Software Distribution Service 3.0
RP390: 2009-07-17 10:04:32 - Systemkontrollpunkt
RP391: 2009-07-18 16:22:39 - Installed Tom Clancy's H.A.W.X
RP392: 2009-07-20 17:47:20 - Removed Age of Empires III
RP393: 2009-07-20 17:54:37 - Removed Command & Conquerâ„¢ Red Alertâ„¢ 3
RP394: 2009-07-20 17:56:16 - Removed Tom Clancy's H.A.W.X
RP395: 2009-07-22 08:21:09 - Systemkontrollpunkt

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11
µTorrent
Call of Duty® 4 - Modern Warfare™
Call of Duty® 4 - Modern Warfare™ 1.2 Patch
Call of Duty® 4 - Modern Warfare™ 1.3 Patch
Call of Duty® 4 - Modern Warfare™ 1.4 Patch
Call of Duty® 4 - Modern Warfare™ 1.5 Singleplayer Patch
Call of Duty® 4 - Modern Warfare™ 1.6 Patch
Call of Duty® 4 - Modern Warfare™ 1.7 Patch
CCleaner (remove only)
Company of Heroes
Counter-Strike 1.6
Counter-Strike™
Counter-Strike: Source
D-Link RangeBooster N 650 DWA-547
DAEMON Tools Toolbar
Diablo II
DivX Web Player
Fujitsu Siemens Computers WLAN 802.11b/g D1705/D1706
Hamachi 1.0.1.5
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
HiYo
HiYo
Java™ 6 Update 11
Left 4 Dead
LimeWire PRO 4.17.6
Macromedia Dreamweaver 8
Macromedia Extension Manager
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Swedish Language Pack
Microsoft .NET Framework 2.0 Language Pack - SVE
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 Redistributable
mIRC
Mount&Blade
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 7 Essentials
NVIDIA Drivers
NVIDIA PhysX v8.04.25
SIM editor 4.0
Skypeâ„¢ 3.8
Snabbkorrigering för Windows Internet Explorer 7 (KB947864)
Snabbkorrigering för Windows XP (KB942288-v3)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB938127)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB950759)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB953838)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB956390)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB958215)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB960714)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB961260)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB963027)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB969897)
Säkerhetsuppdatering för Windows Media Player (KB911564)
Säkerhetsuppdatering för Windows Media Player 6.4 (KB925398)
Säkerhetsuppdatering för Windows XP (KB923561)
Säkerhetsuppdatering för Windows XP (KB923689)
Säkerhetsuppdatering för Windows XP (KB952004)
Säkerhetsuppdatering för Windows XP (KB956572)
Säkerhetsuppdatering för Windows XP (KB958690)
Säkerhetsuppdatering för Windows XP (KB959426)
Säkerhetsuppdatering för Windows XP (KB960225)
Säkerhetsuppdatering för Windows XP (KB960715)
Säkerhetsuppdatering för Windows XP (KB960803)
Säkerhetsuppdatering för Windows XP (KB961371)
Säkerhetsuppdatering för Windows XP (KB961373)
Säkerhetsuppdatering för Windows XP (KB961501)
Säkerhetsuppdatering för Windows XP (KB968537)
Säkerhetsuppdatering för Windows XP (KB969898)
Säkerhetsuppdatering för Windows XP (KB970238)
Säkerhetsuppdatering för Windows XP (KB971633)
Säkerhetsuppdatering för Windows XP (KB973346)
Spotify
Steam™
TeamSpeak 2 RC2
Tibia
Trend Micro Internet Security
Uppdatering för Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
WebFldrs XP
Ventrilo
VideoLAN VLC media player 0.8.6f
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live inloggningsassistenten
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
VOIPlay
World of Warcraft

==== End Of File ===========================

Thanks for the help, appriciate it!

Edited by Pandy, 22 July 2009 - 02:53 PM.
Edit to add previous topic link ~Pandy


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:12 PM

Posted 22 July 2009 - 05:38 PM

Hello Sadpandaman my name is Sempai and welcome to Bleeping Computer.

*We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.


Your log will be analyzed and you will be instructed on what to do next as soon as possible.


Regards,
~Semp :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:12 PM

Posted 25 July 2009 - 06:16 AM

Hello Sadpanda,

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Limewire and uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


1. Please post again the whole part of the DDS log and that includes the header. Every single information is important for an accurate analysis and fixes.


2. We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
3. Let's run MBAM

Please download Malwarebytes Anti-Malware (v1.38) and save it to your desktop.
alternate download link 1
alternate download link 2

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


When you replied please post the following logs:
  • Complete DDS log
  • OTL report
  • MBAM log
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:12 PM

Posted 28 July 2009 - 06:02 AM

Are you still with me?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:12 PM

Posted 28 July 2009 - 11:11 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users