Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security 2010 - Removed But Issues Persist


  • This topic is locked This topic is locked
2 replies to this topic

#1 mark0101

mark0101

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 15 January 2010 - 06:12 PM

Hello,

After following the steps on http://www.bleepingcomputer.com/virus-remo...t-security-2010 I found the fake AV was gone, but I couldn't connect to any website or network shares. It it connecting to the network - correct I.P. address, TCP-IP/DNS looks correct, I am ble to ping the computer...just no websites or shares..

So I figured some important Windows file was removed or corrupted so I Repair installed Windows, but to no avail.

Any ideas are much appreciated.

Mark


DDS LOG:

DDS (Ver_09-12-01.01) - NTFSx86
Run by mark.shepherd at 13:32:21.00 on Fri 01/15/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.608 [GMT -8:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {AB3BA4B0-E5E9-402D-A7B0-704B75A99020}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Bentley Shared\IEG\IEGLCS\IEGLicSrv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\code\CEMANAGER.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\mark.shepherd\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca
mStart Page = hxxp://www.google.ca
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Build_Stub] c:\code\build_stub.exe
mRun: [LSHook] c:\code\lshook.vbe
mRun: [SSRPM Enrollment Wizard] "c:\program files\tools4ever\ssrpm\enrollment wizard\SSRPMEnroll.exe" /Autostart
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-system: NoDispScrSavPage = 1 (0x1)
uPolicies-system: SetVisualStyle =
mPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: NoDispScrSavPage = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\helper32.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
mASetup: {7C06A405-7A69-4600-8C4C-1873A5AF800F}-RefreshHKCU - reg.exe DELETE "HKCU\Software\Microsoft\Office\11.0\Outlook" /v "Exchange Client Extension" /f
mASetup: {7C06A405-7A69-4600-8C4C-1873A5AF800F}-RefreshHKLM - reg.exe ADD "HKLM\SOFTWARE\Microsoft\Exchange\Client\Extensions" /v "Outlook Setup Extension" /d "4.0;Outxxx.dll;7;000000000000000;0000000000;OutXXX" /f

============= SERVICES / DRIVERS ===============

R2 Sentry;Sentry;c:\windows\system32\drivers\sentry.sys [2008-2-19 9180]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2005-11-9 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2005-11-9 36368]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-9-17 652552]

=============== Created Last 30 ================

2010-01-15 21:15:50 0 d-----w- c:\program files\Broadcom
2010-01-15 21:08:20 0 d-----w- c:\program files\Dell
2010-01-15 21:07:57 536821 ----a-w- C:\BIOS A11GX620.EXE
2010-01-15 21:07:51 24762656 ----a-w- C:\Intel Chipset R132539.EXE
2010-01-15 21:07:47 4669464 ----a-w- C:\broadcom network driver R97582.EXE
2010-01-15 20:53:59 23040 -c--a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe
2010-01-15 20:52:59 7680 -c--a-w- c:\windows\system32\dllcache\ftpctrs2.dll
2010-01-15 20:52:01 0 d-----w- c:\program files\msn gaming zone
2010-01-15 20:50:45 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-01-15 20:50:38 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-01-15 20:50:38 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-01-15 20:50:38 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-01-15 20:50:38 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-01-15 20:50:38 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-01-15 19:03:13 0 d-----w- c:\program files\TrendMicro
2010-01-15 17:11:47 0 d-----w- c:\windows\pss
2010-01-15 17:03:41 0 d-----w- c:\docume~1\markd~1.she\applic~1\Malwarebytes
2010-01-15 17:03:35 0 ----a-w- c:\windows\system32\helper32.dllOLD
2010-01-15 16:48:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 16:48:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-15 16:48:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 16:48:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-15 16:44:19 10752 ----a-w- c:\windows\DCEBoot.exeOLD
2010-01-15 12:08:18 288 ----a-w- c:\windows\system32\$winnt$.inf
2010-01-15 01:51:25 18944 ----a-w- c:\windows\system32\winlogon32.exe
2010-01-15 01:51:25 18944 ----a-w- c:\windows\system32\smss32.exe

==================== Find3M ====================

2010-01-15 20:49:28 23348 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 13:32:39.62 ===============

Attached Files


Edited by mark0101, 15 January 2010 - 06:15 PM.


BC AdBot (Login to Remove)

 


#2 mark0101

mark0101
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 15 January 2010 - 07:03 PM

Please close this post. thumbup2.gif

I noticed I had these virus files still on my computer: C:\WINDOWS\system32\helper32.dll, winlogon32.exe;
so I was able to fix it using LSPFix:

"Download LSPFix from http://www.cexx.org/lspfix.zip and unzip it to your Desktop.

Run LSPFix. Place a tick in the “I know what i`m doing”.

In the KEEP box select helper32.dll and press “>>” button.

Press Finish>> button. When LSPFix is done removing the LSP you will see a summary box. Press OK."

thumbup.gif

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:35 AM

Posted 15 January 2010 - 07:20 PM

Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users