Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something Fishy is going on.


  • This topic is locked This topic is locked
2 replies to this topic

#1 Fleetx

Fleetx

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 17 November 2009 - 05:31 PM

Hi,

Well Not sure how but whilst living in Thailand My companies computers were totally compromised and riddled with viruses and malware. I've returned to Australia with this PC and 12 hard drives just to get this fixed. I've rebuilt this PC with a new mobo and did a low level (dban) format of my drive and installed Vista. But something just doesn't seem right. Please look at below. thanks.

I just added this list of 0% of users which is freightening....

Index % of PCs with item Code Data
1 0.0% O1 ::1 localhost
2 0.0% O13
32 0.0% P01 C:\WINDOWS\Explorer.EXE
33 0.0% P01 C:\Program Files\Internet Explorer\iexplore.exe
34 0.0% P01 C:\WINDOWS\system32\wuauclt.exe
35 0.0% P01 C:\WINDOWS\system32\NOTEPAD.EXE
36 0.0% P01 C:\Program Files\Mozilla Firefox\firefox.exe
37 0.0% P01 C:\Program Files\Windows Defender\MSASCui.exe
38 0.0% P01 C:\Windows\system32\taskeng.exe
39 0.0% P01 C:\Windows\system32\Dwm.exe
40 0.0% P01 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
41 0.0% P01 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
42 0.0% P01 C:\WINDOWS\system32\mmc.exe
43 0.0% P01 C:\Windows\system32\SearchFilterHost.exe
44 0.0% P01 C:\Windows\system32\msconfig.exe
45 0.0% P01 C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe
46 0.0% P01 C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter.exe
47 0.0% P01 C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
48 0.0% P01 C:\Windows\system32\msinfo32.exe
49 0.0% P01 C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
50 0.0% P01 C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
51 0.0% P01 C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
52 0.0% P01 C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
53 0.0% P01 C:\Program Files\Adobe\Adobe Dreamweaver CS4\Dreamweaver.exe
54 0.0% P01 C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
55 0.0% P01 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
56 0.0% P01 C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
57 0.0% R0 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
58 0.0% R0 HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
59 0.0% R0 HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
60 0.0% R0 HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
61 0.0% R0 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
62 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
63 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
64 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
65 0.0% R1 HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

Here's my HJT log....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:49 AM, on 11/18/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Adobe Dreamweaver CS4\Dreamweaver.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Windows\system32\mmc.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Windows\system32\msconfig.exe
C:\Windows\System32\msinfo32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [ShaPlus Bandwidth Meter] "C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" /s
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BackgroundSwitcher] "C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6090 bytes




-------------------------------------------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Here's my Spy bot report.....


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2009-11-12 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-10-08 Includes\Adware.sbi
2009-11-10 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-11-03 Includes\Dialer.sbi
2009-10-13 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-05-27 Includes\Hijackers.sbi
2009-10-27 Includes\HijackersC.sbi
2009-10-20 Includes\Keyloggers.sbi
2009-10-20 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-11-10 Includes\Malware.sbi
2009-11-10 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2009-10-20 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-14 Includes\Security.sbi
2009-11-10 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-11-03 Includes\Spyware.sbi
2009-11-10 Includes\SpywareC.sbi
2009-06-08 Includes\Tracks.uti
2009-11-11 Includes\Trojans.sbi
2009-11-10 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


--- System information ---
Windows Vista (Build: 6002) Service Pack 2 (6.0.6002)


--- Startup entries list ---
Located: HK_LM:Run, AdobeCS4ServiceManager
command: "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
file: C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
size: 611712
MD5: E43A851F7B12DE589424D6C656155CFC

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
file: C:\Windows\system32\NvCpl.dll
size: 13785632
MD5: 35DE8CCF799BC54171C1F570122F93B5

Located: HK_LM:Run, RtHDVCpl
command: C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
file: C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
size: 6711840
MD5: E563002C689DF5A8F3CBF68450E52740

Located: HK_LM:Run, ShaPlus Bandwidth Meter
command: "C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" /s
file: C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, Skytel
command: C:\Program Files\Realtek\Audio\HDA\Skytel.exe
file: C:\Program Files\Realtek\Audio\HDA\Skytel.exe
size: 1833504
MD5: C4AC84DCE65CF8DF2DFE87F73BC4BCEB

Located: HK_LM:Run, UfSeAgnt.exe
command: "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
file: C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
size: 1020248
MD5: B12D2CBDD13528F6D2C69B666068FA26

Located: HK_LM:Run, Windows Defender
command: %ProgramFiles%\Windows Defender\MSASCui.exe -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 1008184
MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E

Located: HK_CU:Run, BackgroundSwitcher
where: S-1-5-21-2243569614-3995477571-3865028350-1000...
command: "C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe"
file: C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe
size: 119104
MD5: E719844C4E5CA821843D031448A82DED

Located: HK_CU:Run, OE
where: S-1-5-21-2243569614-3995477571-3865028350-1000...
command: "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
file: C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
size: 492808
MD5: 3890B3599A0AC4F11264985F9D3352FD

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-2243569614-3995477571-3865028350-1000...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1



--- Browser helper object list ---
{43C6D902-A1C5-45c9-91F6-FD9E90337E18} (Trend Micro Toolbar BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Trend Micro Toolbar BHO
CLSID name: TSToolbarBHO
Path: C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\
Long name: TSToolbar.dll
Short name: TSTOOL~1.DLL
Date (created): 11/10/2009 4:34:52 PM
Date (last access): 11/10/2009 4:34:52 PM
Date (last write): 7/27/2009 7:30:00 PM
Filesize: 148816
Attributes: archive
MD5: 451F7844480A8A30897A3670CCC0DB97
CRC32: B170A3F4
Version: 1.6.0.1126

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\Program Files\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 11/12/2009 5:34:56 AM
Date (last access): 11/12/2009 5:34:56 AM
Date (last write): 1/26/2009 3:31:02 PM
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14



--- ActiveX list ---
{4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control)
DPF name:
CLSID name: DLM Control
Installer: C:\Windows\Downloaded Program Files\DownloadManagerV2.inf
Codebase: http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
Path: C:\Windows\DOWNLO~1\
Long name: DownloadManagerV2.ocx
Short name: DOWNLO~1.OCX
Date (created): 5/20/2009 12:18:42 PM
Date (last access): 5/20/2009 12:18:42 PM
Date (last write): 5/20/2009 12:18:42 PM
Filesize: 45056
Attributes: archive
MD5: 352AB6C3942E509332DEC566AABCFD62
CRC32: F6DC3A02
Version: 2.2.5.0

{E2883E8F-472F-4FB0-9522-AC9BF37916A7} ()
DPF name:
CLSID name:
Installer: C:\Windows\Downloaded Program Files\gp.inf
Codebase: http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab



--- Process list ---
PID: 2624 (1172) C:\Windows\system32\taskeng.exe
size: 169984
MD5: E5BBFC283D6F5D69B41E464676361020
PID: 2748 (1140) C:\Windows\system32\Dwm.exe
size: 81920
MD5: 01DD1004181FD46ECDC3628228EB269D
PID: 2816 (2728) C:\Windows\Explorer.EXE
size: 2926592
MD5: D07D4C3038F3578FFCE1C0237F2A1253
PID: 4040 (2816) C:\Program Files\Windows Defender\MSASCui.exe
size: 1008184
MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E
PID: 4052 (2816) C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
size: 1020248
MD5: B12D2CBDD13528F6D2C69B666068FA26
PID: 2572 (2816) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
size: 6711840
MD5: E563002C689DF5A8F3CBF68450E52740
PID: 2612 (2816) C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter.exe
size: 151552
MD5: DED3209E013DC69AA2A4C46A5FCBF318
PID: 2600 (2816) C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
size: 492808
MD5: 3890B3599A0AC4F11264985F9D3352FD
PID: 2808 (2816) C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe
size: 119104
MD5: E719844C4E5CA821843D031448A82DED
PID: 3468 (2816) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1
PID: 3504 (2816) C:\Program Files\Adobe\Adobe Dreamweaver CS4\Dreamweaver.exe
size: 16188784
MD5: 074F6DD621E5B9818394F88BCBFB26D9
PID: 2264 (2816) C:\Program Files\Mozilla Firefox\firefox.exe
size: 908248
MD5: 3EB0BF64DB2BDBAD94ECD9AAD16E6BA0
PID: 1236 (1172) C:\Windows\system32\wuauclt.exe
size: 53472
MD5: 62BB79160F86CD962F312C68C6239BFD
PID: 2568 ( 892) C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
size: 185680
MD5: 14CFAD25FC8BDF4371459F4767996600
PID: 2960 (2264) C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
size: 157008
MD5: 7CB134399A2D46E22379C652C7926B3F
PID: 4356 (4052) C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
size: 1296288
MD5: CB4FC3631E040B4AA91FE245EDE0C1D8
PID: 4636 (3468) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 0 ( 0) [System Process]
PID: 4 ( 0) System
PID: 528 ( 4) smss.exe
size: 64000
PID: 600 ( 588) csrss.exe
size: 6144
PID: 652 ( 588) wininit.exe
size: 96768
PID: 664 ( 644) csrss.exe
size: 6144
PID: 696 ( 652) services.exe
size: 279552
PID: 708 ( 652) lsass.exe
size: 9728
PID: 720 ( 652) lsm.exe
size: 229888
PID: 872 ( 644) winlogon.exe
size: 314368
PID: 892 ( 696) svchost.exe
size: 21504
PID: 972 ( 696) nvvsvc.exe
size: 211488
PID: 1000 ( 696) svchost.exe
size: 21504
PID: 1044 ( 696) svchost.exe
size: 21504
PID: 1096 ( 696) svchost.exe
size: 21504
PID: 1140 ( 696) svchost.exe
size: 21504
PID: 1172 ( 696) svchost.exe
size: 21504
PID: 1292 (1096) audiodg.exe
size: 88576
PID: 1320 ( 696) svchost.exe
size: 21504
PID: 1364 ( 696) SLsvc.exe
size: 3408896
PID: 1428 ( 696) svchost.exe
size: 21504
PID: 1604 ( 972) nvvsvc.exe
size: 211488
PID: 1620 ( 696) svchost.exe
size: 21504
PID: 1844 ( 696) spoolsv.exe
size: 127488
PID: 1868 ( 696) svchost.exe
size: 21504
PID: 464 ( 696) essvr.exe
PID: 608 ( 696) svchost.exe
size: 21504
PID: 588 ( 696) SfCtlCom.exe
PID: 2084 ( 696) svchost.exe
size: 21504
PID: 2104 ( 696) SearchIndexer.exe
size: 441344
PID: 2360 ( 696) SDWinSec.exe
size: 1153368
MD5: 794D4B48DFB6E999537C7C3947863463
PID: 2520 (1172) taskeng.exe
size: 169984
PID: 2532 ( 588) ProToolbarUpdate.exe
PID: 3020 ( 696) TmPfw.exe
PID: 3080 ( 696) TmProxy.exe
PID: 748 ( 696) FNPLicensingService.exe
PID: 1248 ( 696) TMBMSRV.exe
PID: 1416 (2104) SearchProtocolHost.exe
size: 185344
PID: 5208 (2816) mmc.exe
size: 1792512
PID: 2236 (2816) mmc.exe
size: 1792512
PID: 4692 (2816) msconfig.exe
size: 227840
PID: 2552 (4692) msinfo32.exe
size: 408064
PID: 4460 ( 696) svchost.exe
size: 21504
PID: 4788 (2104) SearchFilterHost.exe
size: 87552


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 11/18/2009 8:13:25 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\System32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 4: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 5: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 6: RSVP TCPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 7: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 8: RSVP UDPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 9: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E70E0ADD-158E-4ED7-80B7-1494472526F3}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E70E0ADD-158E-4ED7-80B7-1494472526F3}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{78E1E1E6-0303-49D7-A690-FBD9A4E934C7}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{78E1E1E6-0303-49D7-A690-FBD9A4E934C7}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0254E6E1-D6FB-44A0-8611-5DCC7927C6C2}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0254E6E1-D6FB-44A0-8611-5DCC7927C6C2}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{54FC5CC8-8807-48FD-863A-0CC755913961}] SEQPACKET 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{54FC5CC8-8807-48FD-863A-0CC755913961}] DATAGRAM 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{7F66E906-7E36-493B-AD4D-32EC8F2944B8}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{7F66E906-7E36-493B-AD4D-32EC8F2944B8}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{4A657008-2845-4427-9321-EB570E44B05E}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{4A657008-2845-4427-9321-EB570E44B05E}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{E70E0ADD-158E-4ED7-80B7-1494472526F3}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{E70E0ADD-158E-4ED7-80B7-1494472526F3}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{78E1E1E6-0303-49D7-A690-FBD9A4E934C7}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{78E1E1E6-0303-49D7-A690-FBD9A4E934C7}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 26: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{0254E6E1-D6FB-44A0-8611-5DCC7927C6C2}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 27: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{0254E6E1-D6FB-44A0-8611-5DCC7927C6C2}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Network Location Awareness Legacy (NLAv1) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename:
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 1: E-mail Naming Shim Provider
GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Filename:

Namespace Provider 2: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

Namespace Provider 3: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

Namespace Provider 4: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename:
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 5: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS



-------------------------------------------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

I know there's something fishy going on I just can't nail it.

Edited by Fleetx, 17 November 2009 - 05:57 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 25 November 2009 - 07:27 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 01 December 2009 - 10:18 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users