Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I can not delete infected files and have log


  • This topic is locked This topic is locked
14 replies to this topic

#1 giddeup

giddeup

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 06 October 2009 - 06:54 PM

I know what is infected and where it is but I am unable to delete the files and Trend won't tell me what it is. I have after reading posts run Hijackthis and this is the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:57 AM, on 10/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OL\TMAS_OL.exe
C:\Documents and Settings\VIP\Local Settings\Temporary Internet Files\Content.IE5\PJUMLHNJ\HijackThis[1].exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/home/
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.miniclip.com/games/jet-ski-racing/en/"
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O23 - Service: Google Update Service (gupdate1c9cea7171a9c50) (gupdate1c9cea7171a9c50) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 3899 bytes


Hope this helps.

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 23 October 2009 - 03:39 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 giddeup

giddeup
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 23 October 2009 - 08:49 PM

Hi, Thanks for the help. I have attached the files. I still have the problem that Trendmicro shows I have virus but will not let me delete them, as well I am unable to install new hardware. I am also unable to run the Rootrepel log as I have followed the instructions but whilst trying to run the scan I get kicked out of the system all together and get a warning and the blue screen of death and have to reboot the PC. Any help would be greatly appreciated.
Adam


DDS (Ver_09-10-23.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/17/2006 3:41:41 AM
System Uptime: 10/18/2009 8:40:01 PM (136 hours ago)

Motherboard: http://www.abit.com.tw/ | | KN8 Series(NF-CK804)
Processor: AMD Athlon™ 64 Processor 3500+ | Socket 939 | 2210/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 153 GiB total, 97.35 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 112 GiB total, 69.034 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1264: 7/27/2009 8:31:46 AM - System Checkpoint
RP1265: 7/28/2009 10:46:43 AM - System Checkpoint
RP1266: 7/29/2009 11:14:46 AM - System Checkpoint
RP1267: 7/30/2009 3:00:16 AM - Software Distribution Service 3.0
RP1268: 7/31/2009 3:11:43 AM - System Checkpoint
RP1269: 8/1/2009 3:00:15 AM - Software Distribution Service 3.0
RP1270: 8/2/2009 3:11:42 AM - System Checkpoint
RP1271: 8/3/2009 3:26:11 AM - System Checkpoint
RP1272: 8/4/2009 4:11:41 AM - System Checkpoint
RP1273: 8/5/2009 5:11:40 AM - System Checkpoint
RP1274: 8/6/2009 5:14:05 AM - System Checkpoint
RP1275: 8/7/2009 6:14:04 AM - System Checkpoint
RP1276: 8/8/2009 7:14:04 AM - System Checkpoint
RP1277: 8/8/2009 2:46:41 PM - Installed Microsoft Office Enterprise 2007
RP1278: 8/8/2009 2:57:26 PM - Printer Driver Send To Microsoft OneNote Driver Installed
RP1279: 8/9/2009 3:50:29 PM - System Checkpoint
RP1280: 8/10/2009 3:00:19 AM - Software Distribution Service 3.0
RP1281: 8/10/2009 2:38:43 PM - Installed DirectX
RP1282: 8/10/2009 3:05:31 PM - Removed Logitech Desktop Messenger
RP1283: 8/10/2009 3:05:49 PM - Removed Logitech ImageStudio
RP1284: 8/11/2009 3:13:53 PM - System Checkpoint
RP1285: 8/11/2009 4:30:49 PM - Installed DirectX
RP1286: 8/11/2009 4:35:05 PM - Installed %1 %2.
RP1287: 8/11/2009 4:35:10 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1288: 8/11/2009 5:17:39 PM - Installed %1 %2.
RP1289: 8/11/2009 5:17:44 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1290: 8/12/2009 3:00:16 AM - Software Distribution Service 3.0
RP1291: 8/12/2009 3:15:21 AM - Printer Driver Microsoft XPS Document Writer Installed
RP1292: 8/13/2009 3:51:02 AM - System Checkpoint
RP1293: 8/13/2009 9:26:39 AM - Software Distribution Service 3.0
RP1294: 8/14/2009 3:00:56 AM - Software Distribution Service 3.0
RP1295: 8/15/2009 3:51:58 AM - System Checkpoint
RP1296: 8/16/2009 4:51:57 AM - System Checkpoint
RP1297: 8/17/2009 4:53:02 AM - System Checkpoint
RP1298: 8/18/2009 3:00:55 AM - Software Distribution Service 3.0
RP1299: 8/19/2009 3:12:18 AM - System Checkpoint
RP1300: 8/20/2009 4:12:15 AM - System Checkpoint
RP1301: 8/21/2009 5:12:15 AM - System Checkpoint
RP1302: 8/22/2009 6:12:16 AM - System Checkpoint
RP1303: 8/23/2009 7:12:13 AM - System Checkpoint
RP1304: 8/24/2009 7:16:01 AM - System Checkpoint
RP1305: 8/25/2009 7:20:37 AM - System Checkpoint
RP1306: 8/26/2009 8:09:41 AM - System Checkpoint
RP1307: 8/27/2009 3:00:16 AM - Software Distribution Service 3.0
RP1308: 8/28/2009 3:12:18 AM - System Checkpoint
RP1309: 8/29/2009 4:12:16 AM - System Checkpoint
RP1310: 8/30/2009 5:26:45 AM - System Checkpoint
RP1311: 8/30/2009 12:48:00 PM - Removed Microsoft LifeCam
RP1312: 8/30/2009 12:49:01 PM - Installed USB Dual Vibration Joystick
RP1313: 8/30/2009 12:49:09 PM - Removed USB Dual Vibration Joystick
RP1314: 8/30/2009 12:51:09 PM - Installed DirectX
RP1315: 8/31/2009 3:22:04 PM - System Checkpoint
RP1316: 9/1/2009 5:53:21 PM - System Checkpoint
RP1317: 9/2/2009 8:35:41 PM - System Checkpoint
RP1318: 9/3/2009 9:18:32 PM - System Checkpoint
RP1319: 9/4/2009 10:18:32 PM - System Checkpoint
RP1320: 9/5/2009 11:18:34 PM - System Checkpoint
RP1321: 9/7/2009 12:18:34 AM - System Checkpoint
RP1322: 9/8/2009 1:18:31 AM - System Checkpoint
RP1323: 9/9/2009 2:42:44 AM - System Checkpoint
RP1324: 9/10/2009 3:26:40 AM - System Checkpoint
RP1325: 9/11/2009 3:00:28 AM - Software Distribution Service 3.0
RP1326: 9/12/2009 3:14:11 AM - System Checkpoint
RP1327: 9/13/2009 4:14:12 AM - System Checkpoint
RP1328: 9/14/2009 5:14:11 AM - System Checkpoint
RP1329: 9/15/2009 6:26:11 AM - System Checkpoint
RP1330: 9/16/2009 7:14:10 AM - System Checkpoint
RP1331: 9/17/2009 8:14:10 AM - System Checkpoint
RP1332: 9/18/2009 8:15:15 AM - System Checkpoint
RP1333: 9/19/2009 8:18:46 AM - System Checkpoint
RP1334: 9/20/2009 9:14:10 AM - System Checkpoint
RP1335: 9/21/2009 10:35:03 AM - System Checkpoint
RP1336: 9/22/2009 11:14:12 AM - System Checkpoint
RP1337: 9/23/2009 11:15:16 AM - System Checkpoint
RP1338: 9/24/2009 12:15:16 PM - System Checkpoint
RP1339: 9/25/2009 12:59:32 PM - System Checkpoint
RP1340: 9/26/2009 1:14:12 PM - System Checkpoint
RP1341: 9/27/2009 1:15:16 PM - System Checkpoint
RP1342: 9/28/2009 2:41:14 PM - System Checkpoint
RP1343: 9/29/2009 3:14:11 PM - System Checkpoint
RP1344: 9/30/2009 3:17:39 PM - System Checkpoint
RP1345: 10/1/2009 3:58:23 PM - System Checkpoint
RP1346: 10/3/2009 2:01:44 PM - System Checkpoint
RP1347: 10/4/2009 3:43:40 PM - System Checkpoint
RP1348: 10/5/2009 4:43:39 PM - System Checkpoint
RP1349: 10/6/2009 5:18:18 PM - System Checkpoint
RP1350: 10/7/2009 5:47:58 PM - System Checkpoint
RP1351: 10/8/2009 6:28:47 PM - System Checkpoint
RP1352: 10/9/2009 7:38:45 PM - System Checkpoint
RP1353: 10/9/2009 9:06:58 PM - Cleaned registry with Windows Live OneCare safety scanner
RP1354: 10/10/2009 10:11:16 PM - System Checkpoint
RP1355: 10/11/2009 11:04:59 PM - System Checkpoint
RP1356: 10/12/2009 9:36:58 AM - Installed Java™ 6 Update 16
RP1357: 10/13/2009 9:53:10 AM - System Checkpoint
RP1358: 10/14/2009 10:35:21 AM - System Checkpoint
RP1359: 10/14/2009 3:43:10 PM - Software Distribution Service 3.0
RP1360: 10/15/2009 2:12:23 PM - Installed AMD Processor Driver
RP1361: 10/15/2009 2:24:21 PM - Installed Dual-Core Optimizer.
RP1362: 10/16/2009 3:25:45 PM - System Checkpoint
RP1363: 10/17/2009 4:48:09 PM - System Checkpoint
RP1364: 10/18/2009 7:35:16 PM - System Checkpoint
RP1365: 10/19/2009 7:44:09 PM - System Checkpoint
RP1366: 10/20/2009 9:04:00 PM - System Checkpoint
RP1367: 10/21/2009 10:47:19 PM - System Checkpoint
RP1368: 10/22/2009 11:44:08 PM - System Checkpoint
RP1369: 10/24/2009 12:44:08 AM - System Checkpoint

==== Installed Programs ======================


3D Windows XP Screen Saver
Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
AMD Processor Driver
AviSynth 2.5
BigPond Broadband ADSL FAQ
Canon iP1600
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
Company of Heroes
Critical Update for Windows Media Player 11 (KB959772)
Crysis WARHEAD®
Crysis®
Digimax Master
Dual-Core Optimizer
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD Solution
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.2.2
DVDFab 6.0.1.0 (May 15, 2009)
e-tax 2009
EA Download Manager
EASEUS Partition Master 4.0 Home Edition
Easy-WebPrint
Express Rip
FinePixViewer Ver.4.2
FUJIFILM USB Driver
Garmin WebUpdater
Google Chrome
Google Earth
Google Update Helper
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
ImageMixer VCD2 for FinePix
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 16
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
LimeWire 5.1.2
Logitech Gaming Software
Mat Hoffman's Pro BMX
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Corporation
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MicroStaff WINASPI
MSN
MSN Music Assistant
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB925673)
Multimedia Launcher
Music Visualizer Library 1.4.00
Nero 7 Premium
neroxml
Net MD Simple Burner
Next Generation Visualisations
NVIDIA Drivers
OGA Notifier 1.7.0105.35.0
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.6.01
OpenMG Secure Module 4.7.00
Pixillion Image Converter
PowerDirector
PowerDVD
PowerProducer
Prism Video Converter
PunkBuster Services
QuickTime
RAW FILE CONVERTER LE
Realtek AC'97 Audio
Red Faction
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Samsung USB Driver
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Skype web features
Skype™ 4.1
Smart Menus (Windows Live Toolbar)
SonicStage 4.3
Trend Micro Internet Security
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (KB974810)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
USB Storage Driver
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

10/21/2009 6:31:24 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service NMIndexingService with arguments "" in order to run the server: {C6A811AB-F8FF-45A4-93E5-FC5CCB650BE7}

==== End Of File ===========================

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 24 October 2009 - 09:07 PM

Hi.

Try running GMER...

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries


Hi.

Try running GMER...

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 giddeup

giddeup
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 25 October 2009 - 01:58 AM

Have done and this is what came up.
Hope this helps.

Thanks

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-25 17:57:17
Windows 5.1.2600 Service Pack 3
Running: dn62u4v1.exe; Driver: C:\DOCUME~1\VIP\LOCALS~1\Temp\fwliqkod.sys


---- System - GMER 1.0.15 ----

SSDT 89288BE0 ZwCreateKey
SSDT 892880E0 ZwCreateProcess
SSDT 892883A0 ZwCreateProcessEx
SSDT 89289A40 ZwCreateThread
SSDT 89289160 ZwDeleteKey
SSDT 89289420 ZwDeleteValueKey
SSDT 89289BE0 ZwLoadDriver
SSDT 89288660 ZwOpenProcess
SSDT 89288EA0 ZwSetValueKey
SSDT 89288920 ZwTerminateProcess
SSDT 892898A0 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\nvata \Device\00000070 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvata \Device\00000071 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvata \Device\00000072 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\nvata \Device\NvAta0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvata \Device\NvAta1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvata \Device\NvAta2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvata \Device\0000006f sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 25 October 2009 - 10:04 AM

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 giddeup

giddeup
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 26 October 2009 - 02:14 AM

Here is the combo fix report.


ComboFix 09-10-25.02 - VIP 10/26/2009 17:49.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1937 [GMT 11:00]
Running from: c:\documents and settings\VIP\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\VIP\Application Data\inst.exe
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\03C87DA7.urr
c:\program files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\0653D723.bin
c:\program files\MyWebSearch\bar\Cache\0653DD1E.bin
c:\program files\MyWebSearch\bar\Cache\0653DFAE.bin
c:\program files\MyWebSearch\bar\Cache\0653E27D.bin
c:\program files\MyWebSearch\bar\Cache\07594C4E
c:\program files\MyWebSearch\bar\Cache\0759614D
c:\program files\MyWebSearch\bar\Cache\07596C59.bin
c:\program files\MyWebSearch\bar\Cache\07597DCD.bin
c:\program files\MyWebSearch\bar\Cache\07598F81.bin
c:\program files\MyWebSearch\bar\Cache\0759AD4A.bin
c:\program files\MyWebSearch\bar\Cache\0759CB61.bin
c:\program files\MyWebSearch\bar\Cache\1ACCA0BD.bin
c:\program files\MyWebSearch\bar\Cache\1ACCA8CB.bin
c:\program files\MyWebSearch\bar\Cache\1ACD6517.bin
c:\program files\MyWebSearch\bar\Cache\1ACEFD89
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL

.
((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.

2009-10-18 06:56 . 2009-06-13 08:54 1663488 ----a-w- c:\windows\system32\BootMan.exe
2009-10-18 06:56 . 2009-04-22 03:28 8704 ----a-w- c:\windows\system32\epmntdrv.sys
2009-10-18 06:56 . 2009-04-22 03:28 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2009-10-18 06:56 . 2009-04-22 03:28 3072 ----a-w- c:\windows\system32\EuGdiDrv.sys
2009-10-18 06:56 . 2009-04-22 03:27 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
2009-10-18 06:56 . 2009-10-18 06:56 -------- d-----w- c:\program files\EASEUS
2009-10-15 03:12 . 2006-07-01 11:39 36864 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2009-10-15 03:12 . 2009-10-15 03:24 -------- d-----w- c:\program files\AMD
2009-10-15 03:12 . 2009-10-15 03:12 -------- d-----w- c:\documents and settings\VIP\Application Data\InstallShield
2009-10-15 00:07 . 2009-10-15 00:07 -------- d-----w- c:\windows\system32\NtmsData
2009-10-09 04:56 . 2009-10-09 05:22 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-03 03:39 . 2009-10-03 03:39 -------- d-----w- c:\documents and settings\VIP\Application Data\Recordpad
2009-09-30 10:05 . 2009-09-30 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-09-30 10:05 . 2009-09-30 10:05 -------- d-----w- c:\program files\NCH Software
2009-09-30 10:04 . 2009-10-06 08:04 -------- d-----w- c:\program files\NCH Swift Sound
2009-09-30 10:04 . 2009-10-06 08:04 -------- d-----w- c:\documents and settings\VIP\Application Data\NCH Swift Sound
2009-09-30 09:53 . 2009-09-30 09:53 -------- d-----w- c:\program files\MySearch
2009-09-30 09:52 . 2009-09-30 09:52 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeRIP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 07:57 . 2008-12-30 23:37 -------- d-----w- c:\program files\ozi
2009-10-21 07:31 . 2008-03-28 23:45 -------- d-----w- c:\program files\Windows Live Toolbar
2009-10-21 07:31 . 2007-10-22 09:29 -------- d-----w- c:\program files\Shockwave.com
2009-10-21 07:31 . 2007-01-19 13:33 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-17 07:46 . 2008-05-13 03:24 -------- d-----w- c:\documents and settings\VIP\Application Data\LimeWire
2009-10-15 03:12 . 2006-05-16 18:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-14 04:50 . 2008-04-09 06:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-11 22:39 . 2006-05-17 21:17 -------- d-----w- c:\program files\Java
2009-10-06 22:12 . 2008-02-05 07:42 184 -c--a-w- c:\documents and settings\VIP\same.scr
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 17:10 . 2008-03-25 07:56 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 03:18 . 2009-08-30 03:18 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan
2009-08-30 03:18 . 2009-08-30 03:18 -------- d-----w- c:\documents and settings\VIP\Application Data\Canon
2009-08-30 03:13 . 2009-08-30 03:13 162888 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-30 03:05 . 2009-08-30 03:05 -------- d-----w- c:\program files\Microsoft LifeCam
2009-08-30 02:46 . 2006-05-17 21:11 -------- d-----w- c:\documents and settings\VIP\Application Data\Skype
2009-08-30 02:45 . 2008-12-10 00:29 -------- d-----w- c:\documents and settings\VIP\Application Data\skypePM
2009-08-29 08:08 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 12:33 . 2009-08-17 12:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-13 05:53 . 2006-05-17 18:52 72448 -c--a-w- c:\documents and settings\VIP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 08:24 . 2006-05-16 17:37 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 08:24 . 2006-05-16 17:37 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 08:24 . 2006-05-16 17:37 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 08:24 . 2005-05-25 18:46 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 08:24 . 2006-05-16 17:37 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 08:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 08:23 . 2006-05-16 17:37 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 08:23 . 2009-08-30 15:40 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 08:23 . 2007-09-24 20:55 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 08:23 . 2006-05-16 17:37 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 12:00 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:20 . 2004-08-03 22:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 09:44 . 2004-08-04 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-07-31 04:23 . 2008-11-08 06:20 411368 -c--a-w- c:\windows\system32\deploytk.dll
2004-10-01 05:30 . 2006-05-17 12:32 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"f:\\Electronic Arts\\Crytek\\Bin32\\Crysis.exe"=
"f:\\Electronic Arts\\Crytek\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"f:\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24353:TCP"= 24353:TCP:BitComet 24353 TCP
"24353:UDP"= 24353:UDP:BitComet 24353 UDP

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/18/2008 5:04 PM 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [12/18/2008 5:04 PM 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/18/2008 10:47 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [12/18/2008 5:04 PM 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [12/18/2008 4:58 PM 335376]
S2 gupdate1c9cea7171a9c50;Google Update Service (gupdate1c9cea7171a9c50);c:\program files\Google\Update\GoogleUpdate.exe [5/7/2009 11:02 AM 133104]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [10/18/2009 5:56 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [10/18/2009 5:56 PM 3072]
S3 PavSRK.sys;PavSRK.sys; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FWLIQKOD
*NewlyCreated* - MBR
*Deregistered* - fwliqkod
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 00:20]

2008-04-07 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-07 00:02]

2009-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-07 00:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/home/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\VIP\Local Settings\Temporary Internet Files\Content.IE5\QQ8CXK4U\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 17:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-583907252-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:6d,c6,db,27,b3,44,48,06,9a,bb,c1,74,10,43,64,ab,c5,46,48,26,69,
a9,b8,5b,1d,91,e9,a4,65,c7,74,b6,90,a3,64,56,b7,0c,b0,e8,1c,e1,3a,f5,ed,67,\
"rkeysecu"=hex:c1,b2,62,b8,b6,2e,1e,30,88,4a,53,41,8b,dd,02,30
.
Completion time: 2009-10-26 18:00
ComboFix-quarantined-files.txt 2009-10-26 06:59

Pre-Run: 104,720,064,512 bytes free
Post-Run: 104,943,951,872 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 8BA67B5B58C2A072BBA748BCD9B6A90E

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 26 October 2009 - 03:14 PM

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 giddeup

giddeup
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 28 October 2009 - 02:35 AM

Thanks for all the help.
Attached are the two DDS logs and below is the malware log. The comp is running alot better but still having problems with insatlling new hardware so am thinking I might have a problem with the motherboard. But once again thanks for all you've done.

Adam

Malwarebytes' Anti-Malware 1.41
Database version: 3045
Windows 5.1.2600 Service Pack 3

10/28/2009 6:05:30 PM
mbam-log-2009-10-28 (18-05-30).txt

Scan type: Quick Scan
Objects scanned: 121555
Time elapsed: 6 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{014da6cb-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4NTSTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\656F6409 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\656F6D02 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\656F6F73.bmp (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\656F74B3.bmp (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\kdiue732.txt (Malware.Trace) -> Quarantined and deleted successfully.

Attached Files



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 28 October 2009 - 03:50 PM

Hi.

Uninstall these older versions of Java please...

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7


Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 giddeup

giddeup
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 29 October 2009 - 05:28 AM

Thanks for all the help here are the files you asked for.

C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Win32/Adware.FunWeb application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Win32/Adware.FunWeb application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL.vir Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

Attached Files



#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 30 October 2009 - 03:06 PM

Those are all quarantined items from Combofix, so no need to worry about those. We will remove everything at the end of what Combofix detected/quarantined.

How's your computer running now? Any other problems, symptoms, questions left?

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 giddeup

giddeup
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 31 October 2009 - 10:59 PM

Computer is running much better thanks. Still having small problem connecting a new 1tb hard drive, windows saying that it's invalid date and will not connect it. I think there is a problem with the BIOS as it recognizes the SATA 1tb drive as primary and the IDE old drive as well. As the IDE has windows installed it reverts to that one and will not let me even format the new one.

Thanks for all your help.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 01 November 2009 - 07:43 PM

I would ask that in the External Hardware forum for that problem: http://www.bleepingcomputer.com/forums/f/138/external-hardware/

Hopefully someone can assist you with dealing with that issue.

Good luck.

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 04 November 2009 - 12:32 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed.
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users