Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

computer running slow after virus but says it's cleaned!


  • This topic is locked This topic is locked
9 replies to this topic

#1 nolegirl

nolegirl

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 22 February 2010 - 12:29 AM

I got a virus last week on my computer it was called Cryp_Xed-22 i managed to delete it and did many different scans spend hours on phone with trend micro and Microsoft pc safety. i usually am pretty good at this buy now in all the years i have never had a problem with my computer running slow and weird . every time i open firefox or explorer they both are slow and shut down also some parts of my computer are just slower than normal. i have checked everything and uninstalled and reinstalled these . here are the logs of hijack this and root kit search as well? does anyone one see something wrong? I appreciate your help thanks!!!


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:09:57 AM, on 2/22/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Java S1] \\?\globalroot\systemroot\system32\mschr.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.download.microsoft.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238805614718
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 5516 bytes



ALSO HERE IS THIS LOG AS WELL
----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.80.0.1077
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
[HIDDEN_FILE]:
FullPath : Master Boot Record (MBR) Sector
FullPathLength: 0
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x0
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\ACRORD32.EXE-01080F7C.pf
FullPathLength: 44
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\ACRORD32INFO.EXE-1A3A138E.pf
FullPathLength: 48
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\ADOBEUPDATER.EXE-27A3E5C5.pf
FullPathLength: 48
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\AGENT.EXE-00ED4190.pf
FullPathLength: 41
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\BCMWLTRY.EXE-2A90025A.pf
FullPathLength: 44
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\BPTU85451.EXE-22A72EC7.pf
FullPathLength: 45
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\CMCSERVICE.EXE-02BA0108.pf
FullPathLength: 46
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\CTFMON.EXE-05E57A5E.pf
FullPathLength: 42
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DEFRAG.EXE-2858C7E2.pf
FullPathLength: 42
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DFRGNTFS.EXE-38C3807C.pf
FullPathLength: 44
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DLCCCOMS.EXE-2D331215.pf
FullPathLength: 44
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DLCCJSWX.EXE-071BE6D2.pf
FullPathLength: 44
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DLCCMON.EXE-151FD002.pf
FullPathLength: 43
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DLCCPSWX.EXE-2BA9239A.pf
FullPathLength: 44
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DLLHOST.EXE-14573387.pf
FullPathLength: 43
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DSAGNT.EXE-2DA183E7.pf
FullPathLength: 42
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
17 hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

Edited by Pandy, 22 February 2010 - 06:03 AM.
MOved from Win XP Home and Pro ~Pandy


BC AdBot (Login to Remove)

 


#2 nolegirl

nolegirl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 22 February 2010 - 01:01 AM

I got a virus last week on my computer it was called Cryp_Xed-22 i managed to delete it and did many different scans spend hours on phone with trend micro and Microsoft pc safety. i usually am pretty good at this but now in all the years i have never had a problem with my computer running slow and weird . every time i open firefox or explorer they both are slow and shut down also some parts of my computer are just slower than normal. i have checked everything and uninstalled and reinstalled these . here are the logs of hijack this and root kit search as well? does anyone one see something wrong? I appreciate your help thanks!!!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:10 AM, on 2/22/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HiJackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Java S1] \\?\globalroot\systemroot\system32\mschr.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.download.microsoft.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238805614718
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 5181 bytes



ALSO HERE IS THIS LOG AS WELL
----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.80.0.1077
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
[HIDDEN_FILE]:
FullPath : Master Boot Record (MBR) Sector
FullPathLength: 0
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x0
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\ACRORD32.EXE-01080F7C.pf
FullPathLength: 44
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\ACRORD32INFO.EXE-1A3A138E.pf
FullPathLength: 48
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\ADOBEUPDATER.EXE-27A3E5C5.pf
FullPathLength: 48
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\AGENT.EXE-00ED4190.pf
FullPathLength: 41
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\BCMWLTRY.EXE-2A90025A.pf
FullPathLength: 44
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\BPTU85451.EXE-22A72EC7.pf
FullPathLength: 45
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\CMCSERVICE.EXE-02BA0108.pf
FullPathLength: 46
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\CTFMON.EXE-05E57A5E.pf
FullPathLength: 42
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DEFRAG.EXE-2858C7E2.pf
FullPathLength: 42
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DFRGNTFS.EXE-38C3807C.pf
FullPathLength: 44
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DLCCCOMS.EXE-2D331215.pf
FullPathLength: 44
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DLCCJSWX.EXE-071BE6D2.pf
FullPathLength: 44
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DLCCMON.EXE-151FD002.pf
FullPathLength: 43
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DLCCPSWX.EXE-2BA9239A.pf
FullPathLength: 44
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DLLHOST.EXE-14573387.pf
FullPathLength: 43
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\WINDOWS\Prefetch\DSAGNT.EXE-2DA183E7.pf
FullPathLength: 42
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x2020
ShareAccess : 0x0
Type : 0x0
17 hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

Edited by Orange Blossom, 22 February 2010 - 03:07 PM.
Merged topics. ~ OB


#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:35 PM

Posted 24 February 2010 - 01:55 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:35 PM

Posted 01 March 2010 - 12:43 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:35 PM

Posted 02 March 2010 - 12:29 AM

Reopened by user request.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 nolegirl

nolegirl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 03 March 2010 - 12:10 AM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-01 23:15:13
Windows 5.1.2600 Service Pack 3
Running: 01sgnoxs.exe; Driver: C:\DOCUME~1\TIASWA~1\LOCALS~1\Temp\pxtdipow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

---- EOF - GMER 1.0.15 ----


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/26/2006 5:37:21 PM
System Uptime: 3/1/2010 9:59:56 PM (1 hours ago)

Motherboard: Dell Inc. | | 0JC474
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 144 GiB total, 76.724 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP255: 12/1/2009 12:51:10 PM - System Checkpoint
RP256: 12/2/2009 6:20:10 PM - System Checkpoint
RP257: 12/3/2009 6:34:49 PM - System Checkpoint
RP258: 12/5/2009 3:44:42 PM - System Checkpoint
RP259: 12/7/2009 12:48:20 AM - System Checkpoint
RP260: 12/8/2009 5:26:51 AM - System Checkpoint
RP261: 12/10/2009 1:01:00 AM - Software Distribution Service 3.0
RP262: 12/11/2009 10:16:58 PM - System Checkpoint
RP263: 12/13/2009 1:11:34 PM - System Checkpoint
RP264: 12/16/2009 1:58:15 PM - System Checkpoint
RP265: 12/18/2009 2:45:01 AM - System Checkpoint
RP266: 12/20/2009 2:16:02 PM - System Checkpoint
RP267: 12/22/2009 2:14:06 AM - System Checkpoint
RP268: 1/5/2010 1:18:57 AM - System Checkpoint
RP269: 1/6/2010 2:24:24 AM - System Checkpoint
RP270: 1/7/2010 7:23:38 PM - System Checkpoint
RP271: 1/9/2010 2:36:26 AM - System Checkpoint
RP272: 1/9/2010 12:50:08 PM - Logitech Webcam Software v12.0.1278
RP273: 1/10/2010 2:35:06 PM - System Checkpoint
RP274: 1/10/2010 7:59:54 PM - Software Distribution Service 3.0
RP275: 1/10/2010 8:08:33 PM - Removed Google Gears
RP276: 1/10/2010 8:09:22 PM - Removed EarthLink setup files
RP277: 1/11/2010 9:00:34 PM - System Checkpoint
RP278: 1/12/2010 11:56:23 AM - Software Distribution Service 3.0
RP279: 1/13/2010 12:48:57 PM - System Checkpoint
RP280: 1/13/2010 1:35:49 PM - Software Distribution Service 3.0
RP281: 1/13/2010 9:53:18 PM - Installed HiJackThis
RP282: 1/15/2010 12:37:23 AM - System Checkpoint
RP283: 1/16/2010 5:10:48 AM - System Checkpoint
RP284: 1/18/2010 10:42:02 PM - System Checkpoint
RP285: 1/22/2010 1:53:44 PM - Software Distribution Service 3.0
RP286: 1/24/2010 12:22:32 PM - System Checkpoint
RP287: 1/27/2010 11:03:39 AM - System Checkpoint
RP288: 1/30/2010 4:13:55 PM - System Checkpoint
RP289: 1/31/2010 12:34:51 PM - Software Distribution Service 3.0
RP290: 2/1/2010 1:57:43 PM - System Checkpoint
RP291: 2/3/2010 7:18:36 PM - System Checkpoint
RP292: 2/4/2010 9:37:37 PM - System Checkpoint
RP293: 2/6/2010 6:50:50 AM - System Checkpoint
RP294: 2/7/2010 1:05:04 PM - System Checkpoint
RP295: 2/9/2010 3:13:14 PM - System Checkpoint
RP296: 2/10/2010 12:26:56 AM - Software Distribution Service 3.0
RP297: 2/11/2010 3:10:28 PM - System Checkpoint
RP298: 2/13/2010 12:35:19 AM - Software Distribution Service 3.0
RP299: 2/13/2010 9:02:51 PM - Software Distribution Service 3.0
RP300: 2/13/2010 9:52:28 PM - Installed Microsoft Easy Assist v2
RP301: 2/13/2010 10:49:32 PM - Software Distribution Service 3.0
RP302: 2/15/2010 12:16:42 PM - System Checkpoint
RP303: 2/15/2010 1:07:30 PM - Installed Trend Micro Internet Security
RP304: 2/16/2010 1:49:49 PM - System Checkpoint
RP305: 2/17/2010 6:25:55 PM - System Checkpoint
RP306: 2/19/2010 5:24:15 AM - System Checkpoint
RP307: 2/19/2010 11:52:00 PM - Software Distribution Service 3.0
RP308: 2/20/2010 12:24:58 AM - Removed Netflix Movie Viewer
RP309: 2/20/2010 12:32:40 AM - Software Distribution Service 3.0
RP310: 2/21/2010 12:12:52 AM - Software Distribution Service 3.0
RP311: 2/21/2010 2:33:09 PM - Configured PowerDirector
RP312: 2/21/2010 2:48:21 PM - Removed HiJackThis
RP313: 2/21/2010 3:13:31 PM - Removed Microsoft Easy Assist v2
RP314: 2/21/2010 11:41:05 PM - Installed Trend Micro RUBotted
RP315: 2/22/2010 12:06:52 AM - Installed HiJackThis
RP316: 2/22/2010 12:54:03 AM - Removed HiJackThis
RP317: 2/24/2010 12:48:52 AM - Software Distribution Service 3.0
RP318: 2/26/2010 11:06:39 AM - System Checkpoint
RP319: 2/26/2010 9:56:03 PM - Removed Trend Micro Internet Security
RP320: 2/26/2010 10:46:56 PM - Removed Trend Micro Internet Security
RP321: 2/26/2010 10:53:23 PM - Installed Trend Micro Internet Security
RP322: 2/27/2010 11:35:34 AM - Removed Apple Mobile Device Support
RP323: 2/28/2010 12:20:23 AM - Installed CounterSpy.
RP324: 2/28/2010 9:05:26 PM - Removed CounterSpy.

==== Installed Programs ======================

3ivx MPEG-4 5.0.3 (remove only)
924PLC32
ABBYY FineReader 6.0 Sprint
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Photoshop Elements 2.0
Adobe Reader 8.1.4
Adobe SVG Viewer 3.0
AOLIcon
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
AutoUpdate
Belkin Wireless Utility
Bonjour
BUM
Catalyst Media Center
Catalyst Media Center DVD Authoring Module
Corel Photo Album 6
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Photo AIO Printer 924
Dell System Restore
Dell TrueMobile 2300 Control Utility
Dell TrueMobile 2300 Wireless Broadband Router Control Utility
DellConnect
DellSupport
Digital Content Portal
Digital Photo Navigator 1.5
DivX Codec
DivX Converter
DivX Player
DivX Web Player
EducateU
Facebook Plug-In
Fast Track USB
GemMaster Mystic
Google AFE
Google Desktop
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel® 537EP V9x DF PCI Modem
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
iPod Updater 2004-11-15
iPodCopy
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 17
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
KODAK EASYSHARE Gallery Easy Upload, v2.1
KODAK EASYSHARE Gallery Upload ActiveX Control
Learn2 Player (Uninstall Only)
LimeWire 4.18.8
Logitech Vid
Logitech Webcam Software
Logitech Webcam Software Driver Package
Macromedia Shockwave Player
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Standard 2006
Microsoft Digital Image Standard 2006 Editor
Microsoft Digital Image Standard 2006 Library
Microsoft Encarta Encyclopedia Standard 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Streets & Trips 2006
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (3.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
muvee Plugin 1.0
NetZeroInstallers
OpenOffice.org Installer 1.0
Otto
Portrait Professional 8.1
PowerCinema NE for Everio
PowerDVD 5.5
QuickTime
RealPlayer Basic
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Session
Skype web features
Skype™ 4.1
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Trend Micro Internet Security
Try Corel Snapfire muvee autoProducer add on
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Works Upgrade

==== Event Viewer Messages From Past Week ========

2/28/2010 2:38:11 PM, error: ipnathlp [31008] - The DNS proxy agent was unable to read the local list of name-resolution servers from the registry. The data is the error code.
2/27/2010 12:43:31 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm tmtdi
2/27/2010 12:42:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/27/2010 12:41:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
2/27/2010 1:52:47 PM, error: Service Control Manager [7034] - The Trend Micro Proxy Service service terminated unexpectedly. It has done this 1 time(s).
2/26/2010 9:56:25 PM, error: ipnathlp [31012] - The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.
2/26/2010 9:49:22 AM, error: Service Control Manager [7000] - The Trend Micro RUBotted Service service failed to start due to the following error: The system cannot find the file specified.

==== End Of File =============

#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:35 PM

Posted 03 March 2010 - 02:07 PM

Hello, nolegirl
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 nolegirl

nolegirl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 06 March 2010 - 02:35 PM

Hi please see combofix text.
A popup kept coming up saying the C:\$Mft is corrupt and unreadble. that was the only thing that popped up no other windows. my firefox is not loading at all it keeps saying it crashed.

Thanks for you help , hopefully you might find something wrong in the scan results from combofix.

Tia

Attached Files



#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:35 PM

Posted 07 March 2010 - 04:07 AM

Hi,

Download and save HelpAsst_mebroot_fix.exe
Double click to run the tool.

When complete, go to Start => Run and copy/paste the following line and click OK.

cmd /c mbr.exe -f

After reboot, go to Start => Run and copy/paste the following line and click OK.

cmd /c mbr.exe -t >log.txt&start log.txt

A log file opens. Please post the content to your reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:35 PM

Posted 12 March 2010 - 11:58 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users