Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect, Rootkit problem, etc


  • This topic is locked This topic is locked
28 replies to this topic

#1 Plexi

Plexi

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 02 May 2010 - 10:57 PM

Hello,

I previously posted incorrectly, so here is my second stab at it (thanks Orange Blossom!). I seem to have been infected by a series of problems and I don't know what the root of it is. Originally, late at night, I got several warnings from my Avira AntiVir before the computer eventually just shut off. When I got back on (in safe mode) I ran a scan of Avira and it caught a few things and removed them. When I got back into normal mode and tried to open my normal browser (Chrome) I found that it would hang on "loading..." and it would eventually tell me that the untitled page has crashed and I could either wait or force close it. Then, I tried using Firefox, which loaded up fine, but I found that I got redirected to junk sites whenever I would perform a search. So, I ran MBAM and another Avira scan, both caught things and removed them, but unfortunately the problem persisted. I did some searches and came up found that I could have a rootkit problem, so I ran TDSSKiller, which found a rootkit problem, but could not fix it (I kept running it after the restart and it kept finding the same infection). Then I ran Combofix and it seemed to fix the problem, until I came on here (in chrome) to post the logs. My computer restarted and when I tried to run Chrome, it wouldn't load (same problem) and firefox was redirecting again.

I was informed by Orange Blossom to post my DDS logs, my combofix logs, and my GMER logs, but unfortunately I can only post my DDS and combofix logs. Whenever I try to run GMER my computer restarts. I tried renaming the file, but it didn't help.

Thanks in advance!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Josh at 19:45:51.89 on Sun 05/02/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2219 [GMT -7:00]

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A17C72C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86450454-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {864A46F4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8643A49C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1CCDDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8649A74C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863BEAB4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86640194-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8631ADDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8636B83C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863E3DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8642F2CC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1284AC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated) {8643D9BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86568984-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1A0484-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {862B5DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86155494-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86260DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863E6374-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863F7A74-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86545564-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1725EC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {89676C3C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86395DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86456334-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863295E4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {855BF054-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1A7DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86165DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A111304-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {866AC46C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8642A504-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {866BA6A4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863F2824-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A167DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {866C2DDC-FFA4-0100-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1B4524-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {864C95B4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8646968C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8638F284-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1E0324-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8652574C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {85454DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A060DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A0E081C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8641C72C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {866C11E4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {898A75BC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {89EC4A84-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A39E414-FFA4-00EF-0D24-347CA8A3377C}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1E19F4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863A1B6C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {BADB0D00-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {85504054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863E8054-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863FD9BC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A11A824-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {862B069C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1B8264-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {861FDDDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {861DAC24-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8649C6AC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A0C6DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A14B374-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863DC73C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {85C5656C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {864DDDDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8621B264-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863F14AC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86268DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8949EC04-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A126824-FFA4-0100-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A2F7474-FFA4-0100-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86315C4C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8659C324-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {864A7594-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {862F66AC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {862A237C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8636C564-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1F2B64-FFA4-0100-0D24-347CA8A3377C}
AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8571FDDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1EC234-FFA4-00EF-0D24-347CA8A3377C}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Josh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [AtiTrayTools] "c:\program files\ray adams\ati tray tools\atitray.exe"
uRun: [Google Update] "c:\documents and settings\Josh\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\josh\applic~1\mozilla\firefox\profiles\mtwuyxbz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Josh\application data\mozilla\firefox\profiles\mtwuyxbz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Josh\application data\mozilla\firefox\profiles\mtwuyxbz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\Josh\application data\mozilla\plugins\NPAbacheck.dll
FF - plugin: c:\documents and settings\Josh\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-1 64288]
R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2007-5-22 18088]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-31 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-31 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-31 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-31 56816]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 203024]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36112]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-19 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 Brvwpoworpab;Brvwpoworpab; [x]

=============== Created Last 30 ================

2010-05-03 02:43:56 0 ----a-w- c:\documents and settings\Josh\defogger_reenable
2010-05-03 01:48:49 0 d-sha-r- C:\cmdcons
2010-05-03 01:45:38 77312 ----a-w- c:\windows\MBR.exe
2010-05-03 01:45:32 98816 ----a-w- c:\windows\sed.exe
2010-05-03 01:45:32 256512 ----a-w- c:\windows\PEV.exe
2010-05-03 01:45:32 161792 ----a-w- c:\windows\SWREG.exe
2010-05-03 01:26:44 178000 ----a-w- C:\TDSSKiller.exe
2010-05-03 01:26:31 154469 ----a-w- C:\tdsskiller.zip
2010-05-02 17:18:12 0 d-----w- c:\docume~1\josh\applic~1\Malwarebytes
2010-05-02 17:17:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 17:17:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-02 17:17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 17:17:42 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-05-03 01:43:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-25 08:38:36 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-23 05:20:02 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2010-02-17 16:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2009-09-04 09:29:30 4509 ----a-w- c:\program files\trapcode3Dstroke.log
2009-05-05 08:42:02 25 ----a-w- c:\program files\popcinfot.dat
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-03-01 20:32:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030120090302\index.dat

============= FINISH: 19:46:11.10 ===============

Attached Files


Edited by Plexi, 02 May 2010 - 10:58 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:26 AM

Posted 05 May 2010 - 12:00 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki man acch?
Yadi thak, tahal
Ki kshama kart paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Plexi

Plexi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 05 May 2010 - 12:22 PM

Hello Blind Faith,

Thank you for the reply. I've done almost nothing since I originally posted for fear of screwing something up. I did run another Avira scan which picked up a few more infections and cleaned them. Other than that, a full description as well as the logs will appear in the first post. I am still unable to run GMER either in safe or normal mode as it either causes my computer to hard lock or just reset.

I'll include another DDS log though.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Josh at 10:15:49.66 on Wed 05/05/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2063 [GMT -7:00]

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A17C72C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86450454-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {864A46F4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8643A49C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1CCDDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8649A74C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863BEAB4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86640194-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8631ADDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8636B83C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863E3DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8642F2CC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1284AC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated) {8643D9BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86568984-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1A0484-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {862B5DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86155494-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86260DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863E6374-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863F7A74-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86545564-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1725EC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {89676C3C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86395DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86456334-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863295E4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {855BF054-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1A7DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86165DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A111304-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {866AC46C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8642A504-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {866BA6A4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863F2824-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A167DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {866C2DDC-FFA4-0100-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1B4524-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {864C95B4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8646968C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8638F284-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1E0324-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8652574C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {85454DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A060DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A0E081C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8641C72C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {866C11E4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {898A75BC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {89EC4A84-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A39E414-FFA4-00EF-0D24-347CA8A3377C}
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1E19F4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863A1B6C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {BADB0D00-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {85504054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863E8054-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863FD9BC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A11A824-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {862B069C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1B8264-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {861FDDDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {861DAC24-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8649C6AC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A0C6DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A14B374-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863DC73C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {85C5656C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {864DDDDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8621B264-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863F14AC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86268DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8949EC04-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A126824-FFA4-0100-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A2F7474-FFA4-0100-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86315C4C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8659C324-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {864A7594-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {862F66AC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {862A237C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8636C564-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1F2B64-FFA4-0100-0D24-347CA8A3377C}
AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8571FDDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1EC234-FFA4-00EF-0D24-347CA8A3377C}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\ventrilo\ventrilo.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Josh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [AtiTrayTools] "c:\program files\ray adams\ati tray tools\atitray.exe"
uRun: [Google Update] "c:\documents and settings\Josh\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\josh\applic~1\mozilla\firefox\profiles\mtwuyxbz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Josh\application data\mozilla\firefox\profiles\mtwuyxbz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Josh\application data\mozilla\firefox\profiles\mtwuyxbz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\Josh\application data\mozilla\plugins\NPAbacheck.dll
FF - plugin: c:\documents and settings\Josh\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-1 64288]
R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2007-5-22 18088]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-31 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-31 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-31 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-31 56816]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 203024]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36112]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-19 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 Brvwpoworpab;Brvwpoworpab; [x]

=============== Created Last 30 ================

2010-05-03 02:43:56 0 ----a-w- c:\documents and settings\Josh\defogger_reenable
2010-05-03 01:48:49 0 d-sha-r- C:\cmdcons
2010-05-03 01:45:38 77312 ----a-w- c:\windows\MBR.exe
2010-05-03 01:45:32 98816 ----a-w- c:\windows\sed.exe
2010-05-03 01:45:32 256512 ----a-w- c:\windows\PEV.exe
2010-05-03 01:45:32 161792 ----a-w- c:\windows\SWREG.exe
2010-05-03 01:26:44 178000 ----a-w- C:\TDSSKiller.exe
2010-05-03 01:26:31 154469 ----a-w- C:\tdsskiller.zip
2010-05-02 17:18:12 0 d-----w- c:\docume~1\josh\applic~1\Malwarebytes
2010-05-02 17:17:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 17:17:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-02 17:17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 17:17:42 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-05-03 01:43:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-25 08:38:36 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-23 05:20:02 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2010-02-17 16:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2009-09-04 09:29:30 4509 ----a-w- c:\program files\trapcode3Dstroke.log
2009-05-05 08:42:02 25 ----a-w- c:\program files\popcinfot.dat
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-03-01 20:32:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030120090302\index.dat

============= FINISH: 10:16:34.25 ===============

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 PM

Posted 09 May 2010 - 07:56 AM

Hello, Plexi.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!


P2P Warning and Request
The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case uTorrent, LimeWire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.

Registry Cleaner Warning


I also see that you have a registry cleaner installed (in your case CCleaner). Here at BC, we do not recommend using registry cleaners.

See here for more information:
http://www.bleepingcomputer.com/forums/ind...p;#entry1326578
Viewpoint (foistware) Warning"

I see Viewpoint is installed on your machine. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to the Control Panel, then Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Two Antiviruses Warning


I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Trend Micro Internet Security or Avira AntiVir.



Step 1

OK, with TDSS, a GMER log is important. Let's try one last attempt...to give it a higher chance of success, please run it in Safe Mode and only select "files" and "sections". If that doesn't work, please let me know.



Step 2

Please copy and paste the contents of C:\combofix.txt in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Plexi

Plexi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 09 May 2010 - 04:08 PM

Hello etavares,

Thank you for your response.
  1. It has been a long time (years, I believe) since I participated in any P2P activities. I do (did, unistalled it today) have Limewire still on my computer, but I don't believe it has anything to do with the current situation.
  2. I am also weary of registry cleaners, but I've used CCleaner for clearing out all my temporary internet files and my start menu icons and all that jazz.
  3. I removed the only Viewpoint thing on my Add/Remove Programs list.
  4. I would love to only have Avira on my computer. The problem is, when I try to uninstall Trend Micro, it asks me for a password that I'm almost certain I never knew.
  5. I was able to run GMER in safemode with only the two options you told me to have checked, but the scan came back saying that it didn't find any modifications. I'd include the log I saved, but it's blank. tongue.gif

Here is my combofix log (NOTE: it says that I had Avira enabled, but I disabled it using the method on this site. I'm not sure why it said it was enabled):

ComboFix 10-05-02.01 - Josh 05/02/2010 19:00:30.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2210 [GMT -7:00]
Running from: c:\documents and settings\Josh\Desktop\africa.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated) {8643D9BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {85454DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {85504054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {855BF054-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8571FDDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {85C5656C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86155494-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86165DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {861DAC24-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {861FDDDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8621B264-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86260DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86268DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {862A237C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {862B069C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {862B5DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {862F66AC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86315C4C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8631ADDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863295E4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8636B83C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8636C564-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8638F284-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86395DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863A1B6C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863BEAB4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863DC73C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863E3DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863E6374-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863E8054-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863F14AC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863F2824-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863F7A74-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {863FD9BC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8641C72C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8642A504-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8642F2CC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8643A49C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86450454-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86456334-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8646968C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8649A74C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8649C6AC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {864A46F4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {864A7594-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {864C95B4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {864DDDDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8652574C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86545564-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86568984-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8659C324-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {86640194-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {866AC46C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {866BA6A4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {866C11E4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {866C2DDC-FFA4-0100-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8949EC04-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {89676C3C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {898A75BC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {89EC4A84-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A060DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A0C6DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A0E081C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A111304-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A11A824-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A126824-FFA4-0100-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1284AC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A14B374-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A167DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1725EC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A17C72C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1A0484-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1A7DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1B4524-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1B8264-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1CCDDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1E0324-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1E19F4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1EC234-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A1F2B64-FFA4-0100-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A2F7474-FFA4-0100-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {8A39E414-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {BADB0D00-FFA4-00EF-0D24-347CA8A3377C}
AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Josh\Start Menu\Programs\Startup\MagicDisc.lnk
c:\program files\WindowsUpdate
c:\windows\system32\vyadd.bak1
c:\windows\system32\vyadd.ini2

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-05-03 01:26 . 2010-03-22 17:43 178000 ----a-w- C:\TDSSKiller.exe
2010-05-03 01:26 . 2010-05-03 01:26 154469 ----a-w- C:\tdsskiller.zip
2010-05-02 19:47 . 2010-05-02 19:47 388096 ----a-r- c:\documents and settings\Josh\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-02 17:18 . 2010-05-02 17:18 -------- d-----w- c:\documents and settings\Josh\Application Data\Malwarebytes
2010-05-02 17:17 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 17:17 . 2010-05-02 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-02 17:17 . 2010-05-02 17:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 17:17 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 10:32 . 2010-05-02 10:32 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\ioxtunibo
2010-04-25 19:52 . 2010-03-26 17:33 43008 ----a-w- c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\mtwuyxbz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-04-25 19:52 . 2010-03-26 17:33 339456 ----a-w- c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\mtwuyxbz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-04-25 19:52 . 2010-03-26 17:32 346112 ----a-w- c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\mtwuyxbz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-04-25 19:52 . 2010-03-26 17:33 1496064 ----a-w- c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\mtwuyxbz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 01:43 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-02 19:56 . 2005-12-26 05:20 -------- d-----w- c:\program files\Bejeweled 2 Deluxe
2010-05-02 19:47 . 2005-12-19 16:06 -------- d-----w- c:\program files\Trend Micro
2010-05-02 17:39 . 2009-06-26 04:08 -------- d-----w- c:\program files\ATI
2010-05-02 10:32 . 2007-05-05 21:14 -------- d-----w- c:\program files\PeerGuardian2
2010-04-29 16:16 . 2008-10-10 08:59 -------- d-----w- c:\program files\NavNet
2010-04-25 08:38 . 2006-01-04 01:35 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-25 08:38 . 2005-12-28 02:27 104 --sh--r- c:\windows\system32\DD11CB9FC7.sys
2010-04-18 09:00 . 2009-11-25 11:33 445 ----a-w- c:\windows\EntPack.dat
2010-04-14 10:08 . 2007-03-29 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-11 22:35 . 2008-10-05 20:25 -------- d-----w- c:\program files\World of Warcraft
2010-04-07 06:22 . 2009-06-30 20:55 -------- d-----w- c:\documents and settings\Josh\Application Data\Advanced Combat Tracker
2010-03-11 12:38 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2005-08-16 10:18 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 20:22 . 2007-02-03 17:05 -------- d-----w- c:\documents and settings\Josh\Application Data\uTorrent
2010-03-09 11:09 . 2005-08-16 10:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 01:27 . 2009-05-05 15:20 48 ----a-w- c:\windows\popcinfot.dat
2010-03-06 01:27 . 2009-05-05 08:08 -------- d-----w- c:\program files\Plants vs. Zombies
2010-03-01 08:25 . 2010-02-01 20:24 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2010-02-24 13:11 . 2005-12-19 15:34 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-08-16 10:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2005-08-16 10:18 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 20:25 . 2010-02-01 20:24 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2010-02-11 20:25 . 2010-02-01 20:24 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2010-02-11 20:25 . 2010-02-01 20:24 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2010-02-11 12:02 . 2005-08-16 10:18 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-02 02:21 . 2010-02-01 02:20 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-04 09:29 . 2009-09-04 09:29 4509 ----a-w- c:\program files\trapcode3Dstroke.log
2009-05-05 08:42 . 2009-05-05 08:42 25 ----a-w- c:\program files\popcinfot.dat
2006-05-03 09:06 . 2009-08-17 20:15 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-08-17 20:15 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-08-17 20:15 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-16 20553]
"AtiTrayTools"="c:\program files\Ray Adams\ATI Tray Tools\atitray.exe" [2007-05-22 521128]
"Google Update"="c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-23 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-07 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-6-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-19 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Josh^Start Menu^Programs^Startup^Memeo AutoBackup Launcher.lnk]
path=c:\documents and settings\Josh\Start Menu\Programs\Startup\Memeo AutoBackup Launcher.lnk
backup=c:\windows\pss\Memeo AutoBackup Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Josh^Start Menu^Programs^Startup^Memeo AutoSync Launcher.lnk]
path=c:\documents and settings\Josh\Start Menu\Programs\Startup\Memeo AutoSync Launcher.lnk
backup=c:\windows\pss\Memeo AutoSync Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 19:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 17:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 17:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-03-23 06:20 339968 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-07 20:42 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FLEXnet Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135541865\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135541865\\ee\\aim6.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\TeamSpeak.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"e:\\utorrent\\uTorrent.exe"=
"e:\\Steam\\steamapps\\common\\splinter cell\\system\\splintercell.exe"=
"e:\\lol\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"e:\\lol\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"e:\\Steam\\steamapps\\common\\world of goo\\WorldOfGoo.exe"=
"e:\\Steam\\steamapps\\common\\the secret of monkey island special edition\\MISE.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8767:TCP"= 8767:TCP:Teamspeak
"8767:UDP"= 8767:UDP:Teamspeak2
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"8373:TCP"= 8373:TCP:League of Legends Launcher
"8373:UDP"= 8373:UDP:League of Legends Launcher
"8374:TCP"= 8374:TCP:League of Legends Launcher
"8374:UDP"= 8374:UDP:League of Legends Launcher
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"6937:TCP"= 6937:TCP:League of Legends Launcher
"6937:UDP"= 6937:UDP:League of Legends Launcher

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/1/2010 1:25 PM 64288]
R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 2:04 AM 18088]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/31/2010 7:20 PM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 6:19 AM 1181328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 3:30 PM 203024]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 3:30 PM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 3:30 PM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 3:30 PM 36112]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 3:30 PM 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/19/2007 5:27 PM 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 2:34 AM 135664]
S3 Brvwpoworpab;Brvwpoworpab; [x]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/3/2007 12:57 PM 682232]
.
Contents of the 'Scheduled Tasks' folder

2010-05-03 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:25]

2010-05-03 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:25]

2010-05-03 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:25]

2010-05-03 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:25]

2010-05-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:25]

2010-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57]

2010-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 09:34]

2010-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 09:34]

2010-05-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-176630229-1398752101-2693098192-1005Core.job
- c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-23 01:03]

2010-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-176630229-1398752101-2693098192-1005UA.job
- c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-23 01:03]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\mtwuyxbz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\mtwuyxbz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\mtwuyxbz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\Josh\Application Data\Mozilla\plugins\NPAbacheck.dll
FF - plugin: c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-MMTray - c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_03\bin\jusched.exe
AddRemove-XPv3.8.291 - c:\windows\Radeon Omega Drivers v3.8.291
AddRemove-pywin32-py2.4 - c:\python24\Removepywin32.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 19:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-02 19:13:18
ComboFix-quarantined-files.txt 2010-05-03 02:13

Pre-Run: 647,458,816 bytes free
Post-Run: 731,193,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - CB7CA957AB8D2FE0D05985328629434A


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 PM

Posted 09 May 2010 - 05:42 PM

Hello, Plexi.

OK, CCleaner is great for those uses, just be careful when using it to fix registry items.

We can remove the Trend Micro a/v later...but I have to ask is this a corporate computer or a computer not owned by you? If so, you may be violating policy if we do that. That is your responsibility to know ahead of time.

Nothing is really popping right now...the CF and GMER logs didn't show a rootkit like TDSS. Let's check a few things here.






Step 1
  1. Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
  2. Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
    CODE
    @echo off
    cd\
    mbr.exe -t
    start mbr.log
  3. Next, select File --> Save As, change file type to All Files (*.*), and save it as fixme.bat in your c:\ folder.
  4. Open your c:\folder and double-click on fixme.bat. A logfile will open (C:\mbr.log). Please paste the contents in your next reply.



Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 Plexi

Plexi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 09 May 2010 - 05:52 PM

Etavares,

This is not a corporate computer, it is a personal computer owned by me.

Yes, the rootkit could possibly be cleaned. After running TDSSKiller before and failing to remove it, I ran combofix. During the scan it told me it found a rootkit problem and needed to reboot. After the combofix scan was complete, I ran TDSSKiller again and it came up clean.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

Here are the results for fixme.bat:

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

Here are the results of the MBAM Scan (clean!):

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4084

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/9/2010 3:42:55 PM
mbam-log-2010-05-09 (02-33-55).txt

Scan type: Quick scan
Objects scanned: 132635
Time elapsed: 8 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 PM

Posted 10 May 2010 - 05:58 PM

Hello, Plexi.

OK, great! Sort of...TDSS is a backdoor rootkit. Let's take care of uninstalling Trend Micro before we proceed any further.



Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.




Step 1

Please go to Start --> Run and copy and paste the text in the box below (exluding the word code)

CODE
reg query  HKLM\SOFTWARE\TrendMicro\ /s > c:\reglog.txt


and click OK.

Please attach c:\reglog.txt to your reply.


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 Plexi

Plexi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 10 May 2010 - 06:09 PM

Etavares,

I'll likely not reformat. I know that it would probably be my best option, but at this point the only things that I do on this machine that would possibly get compromised are a few video game accounts or facebook. I don't know where my restore CD is or anything like that.

I ran your script, but it's not creating the file reglog.txt. It pops up a command prompt window but it closes before I can see what it says.

Edited by Plexi, 10 May 2010 - 06:09 PM.


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 PM

Posted 10 May 2010 - 06:20 PM

ah, I think I have an extra space...try this. The log will not pop up, you'll have to navigate to C:\ to find it and attach it here.

reg query HKLM\SOFTWARE\TrendMicro\ /s > c:\reglog.txt


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 Plexi

Plexi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 10 May 2010 - 06:25 PM

Yes, I understand that I must navigate to it. Still nothing, though. I've tried running it a few times now, refreshed my c:\ folder. Nothing.

Edited by Plexi, 10 May 2010 - 06:26 PM.


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 PM

Posted 10 May 2010 - 06:39 PM

OK, let's try another approach.

Please launch the Registry Editor. It's in C:\windows\regedit.exe if you can't find it in your Start menu.

Please navigate in the right side of the tree to HKEY_LOCAL_MACHINE, then click the arrow to expand it. Continue doing that until you have highlighted the folder:

HKEY_LOCAL_MACHINE\Software\TrendMicro

Select File --> Export

Ensure 'selected branch' is selected with that HKEY_LOCAL_MACHINE\Software\TrendMicro in the box.

Set save as type to Text Files (.TXT)

And put trend.txt as the file name, then click 'save'.

Close the registry editor and please copy and paste the resulting text file here.



If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 Plexi

Plexi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 10 May 2010 - 06:43 PM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro
Class Name: <NO CLASS>
Last Write Time: 5/2/2010 - 1:01 PM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\HijackThis
Class Name: <NO CLASS>
Last Write Time: 5/2/2010 - 1:01 PM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin
Class Name: <NO CLASS>
Last Write Time: 12/25/2005 - 12:46 PM
Value 0
Name: Cleanup
Type: REG_DWORD
Data: 0x1

Value 1
Name: Application Path
Type: REG_SZ
Data: C:\PROGRA~1\TRENDM~1\INTERN~1\

Value 2
Name: register no.
Type: REG_SZ
Data: DLEA-9997-1397-9196-9255

Value 3
Name: company
Type: REG_SZ
Data: Dell

Value 4
Name: name
Type: REG_SZ
Data: Preferred Customer

Value 5
Name: version
Type: REG_SZ
Data: 12.7

Value 6
Name: ProductCode
Type: REG_DWORD
Data: 0x71

Value 7
Name: SourceDir
Type: REG_SZ
Data: C:\dell\TF978\setup\

Value 8
Name: ProductGuid
Type: REG_SZ
Data: {7698EDA5-A90F-4205-99CB-8FF6F9048ED9}

Value 9
Name: nomore
Type: REG_DWORD
Data: 0x1

Value 10
Name: Wfw
Type: REG_DWORD
Data: 0x2

Value 11
Name: InstallLevel
Type: REG_DWORD
Data: 0x2


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\CentralControlComponent
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\CentralControlComponent\Profile
Class Name: <NO CLASS>
Last Write Time: 12/27/2005 - 6:07 AM
Value 0
Name: MaxProfileNumber
Type: REG_DWORD
Data: 0xa

Value 1
Name: CurrentProfile
Type: REG_BINARY
Data:
00000000 61 e4 bd 1a 3a 25 a9 4b - 9a bb be d7 8a fb 27 8a a.:%K..'.


Value 2
Name: AutoProfileChange
Type: REG_DWORD
Data: 0x0

Value 3
Name: MaxLocationNumber
Type: REG_DWORD
Data: 0x1

Value 4
Name: MaxTaskNumber
Type: REG_DWORD
Data: 0x14

Value 5
Name: DontAskAgain
Type: REG_DWORD
Data: 0x0

Value 6
Name: StaticHRuleLeadIdx
Type: REG_SZ
Data: 1,2,3

Value 7
Name: StaticHRuleTrailIdx
Type: REG_SZ
Data: 4,5,6

Value 8
Name: StaticMRuleLeadIdx
Type: REG_SZ
Data: 7,8,9

Value 9
Name: StaticMRuleTrailIdx
Type: REG_SZ
Data: 10,11,12

Value 10
Name: StaticLRuleLeadIdx
Type: REG_SZ
Data: 13,14,15

Value 11
Name: StaticLRuleTrailIdx
Type: REG_SZ
Data: 16,17,18

Value 12
Name: StaticDefaultRuleIdx
Type: REG_SZ
Data: 19,20

Value 13
Name: RemoteProtect
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: WebMailSplash
Type: REG_DWORD
Data: 0x1

Value 1
Name: SmtpSplash
Type: REG_DWORD
Data: 0x1

Value 2
Name: ShowQuaGuide
Type: REG_DWORD
Data: 0x0

Value 3
Name: PXOIX
Type: REG_DWORD
Data: 0x0

Value 4
Name: PurgeTime
Type: REG_DWORD
Data: 0x1e

Value 5
Name: POP3Splash
Type: REG_DWORD
Data: 0x1

Value 6
Name: PKOIX
Type: REG_BINARY
Data:

Value 7
Name: PassLock
Type: REG_DWORD
Data: 0x0

Value 8
Name: AutoPurge
Type: REG_DWORD
Data: 0x1

Value 9
Name: Mode
Type: REG_DWORD
Data: 0x0

Value 10
Name: Menu
Type: REG_DWORD
Data: 0x0

Value 11
Name: Update
Type: REG_DWORD
Data: 0x0

Value 12
Name: MenuSet
Type: REG_DWORD
Data: 0x0

Value 13
Name: TipHelp
Type: REG_DWORD
Data: 0x1

Value 14
Name: StatusMonitorInterval
Type: REG_DWORD
Data: 0x38e


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\DLPccUtl
Class Name: <NO CLASS>
Last Write Time: 12/25/2005 - 12:46 PM
Value 0
Name: Solt
Type: REG_BINARY
Data:
00000000 00 fa dc 89 ca a5 df 51 - ..ʥQ


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Exception
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: File0
Type: REG_SZ
Data: none

Value 1
Name: File1
Type: REG_SZ
Data: none

Value 2
Name: File2
Type: REG_SZ
Data: none

Value 3
Name: File3
Type: REG_SZ
Data: none

Value 4
Name: File4
Type: REG_SZ
Data: none

Value 5
Name: File5
Type: REG_SZ
Data: none

Value 6
Name: File6
Type: REG_SZ
Data: none

Value 7
Name: File7
Type: REG_SZ
Data: none

Value 8
Name: File8
Type: REG_SZ
Data: none

Value 9
Name: File9
Type: REG_SZ
Data: none

Value 10
Name: File10
Type: REG_SZ
Data: none

Value 11
Name: File11
Type: REG_SZ
Data: none

Value 12
Name: File12
Type: REG_SZ
Data: none

Value 13
Name: File13
Type: REG_SZ
Data: none

Value 14
Name: File14
Type: REG_SZ
Data: none

Value 15
Name: File15
Type: REG_SZ
Data: none

Value 16
Name: File16
Type: REG_SZ
Data: none

Value 17
Name: File17
Type: REG_SZ
Data: none

Value 18
Name: File18
Type: REG_SZ
Data: none

Value 19
Name: File19
Type: REG_SZ
Data: none

Value 20
Name: Folder0
Type: REG_SZ
Data: none

Value 21
Name: Folder1
Type: REG_SZ
Data: none

Value 22
Name: Folder2
Type: REG_SZ
Data: none

Value 23
Name: Folder3
Type: REG_SZ
Data: none

Value 24
Name: Folder4
Type: REG_SZ
Data: none

Value 25
Name: Folder5
Type: REG_SZ
Data: none

Value 26
Name: Folder6
Type: REG_SZ
Data: none

Value 27
Name: Folder7
Type: REG_SZ
Data: none

Value 28
Name: Folder8
Type: REG_SZ
Data: none

Value 29
Name: Folder9
Type: REG_SZ
Data: none

Value 30
Name: Folder10
Type: REG_SZ
Data: none

Value 31
Name: Folder11
Type: REG_SZ
Data: none

Value 32
Name: Folder12
Type: REG_SZ
Data: none

Value 33
Name: Folder13
Type: REG_SZ
Data: none

Value 34
Name: Folder14
Type: REG_SZ
Data: none

Value 35
Name: Folder15
Type: REG_SZ
Data: none

Value 36
Name: Folder16
Type: REG_SZ
Data: none

Value 37
Name: Folder17
Type: REG_SZ
Data: none

Value 38
Name: Folder18
Type: REG_SZ
Data: none

Value 39
Name: Folder19
Type: REG_SZ
Data: none


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\FireWall
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: NVList
Type: REG_BINARY
Data:

Value 1
Name: NVFound
Type: REG_SZ
Data:

Value 2
Name: AdaptersNum
Type: REG_DWORD
Data: 0x0

Value 3
Name: NVPopup
Type: REG_DWORD
Data: 0x1

Value 4
Name: NVLock
Type: REG_DWORD
Data: 0x0

Value 5
Name: NVLatency
Type: REG_DWORD
Data: 0x4e20

Value 6
Name: AdaptersList
Type: REG_BINARY
Data:

Value 7
Name: Installed
Type: REG_DWORD
Data: 0x1

Value 8
Name: AcceptLog
Type: REG_DWORD
Data: 0x0

Value 9
Name: LogPath
Type: REG_SZ
Data: C:\Program Files\Trend Micro\Internet Security 12\log\\

Value 10
Name: LogLastEventFlag
Type: REG_DWORD
Data: 0x230

Value 11
Name: LogEventFlag
Type: REG_DWORD
Data: 0x42f8

Value 12
Name: AppWait
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Intelligent
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: HideProgress
Type: REG_DWORD
Data: 0x0

Value 1
Name: OnOff
Type: REG_DWORD
Data: 0x1

Value 2
Name: ConnectLimit
Type: REG_DWORD
Data: 0x0

Value 3
Name: Interval
Type: REG_DWORD
Data: 0x2a30

Value 4
Name: Start
Type: REG_DWORD
Data: 0x17

Value 5
Name: End
Type: REG_DWORD
Data: 0x8

Value 6
Name: Silent
Type: REG_DWORD
Data: 0x1


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\MailScan
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: OnOff
Type: REG_DWORD
Data: 0x1

Value 1
Name: Splash
Type: REG_DWORD
Data: 0x0

Value 2
Name: Config
Type: REG_DWORD
Data: 0x0

Value 3
Name: Action
Type: REG_DWORD
Data: 0x3

Value 4
Name: Action2nd
Type: REG_DWORD
Data: 0x4

Value 5
Name: ZipClean
Type: REG_DWORD
Data: 0x1

Value 6
Name: ExtractFileSizeLimit
Type: REG_DWORD
Data: 0xffffffff

Value 7
Name: WebMail
Type: REG_DWORD
Data: 0x1


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\ManualScan
Class Name: <NO CLASS>
Last Write Time: 8/18/2007 - 3:42 PM
Value 0
Name: ScriptTrap
Type: REG_DWORD
Data: 0x1

Value 1
Name: FileCountThreadPriority
Type: REG_DWORD
Data: 0x5

Value 2
Name: ZipScanOnOff
Type: REG_DWORD
Data: 0x1

Value 3
Name: ZipScan
Type: REG_DWORD
Data: 0x3

Value 4
Name: ZipClean
Type: REG_DWORD
Data: 0x1

Value 5
Name: TSC
Type: REG_DWORD
Data: 0x1

Value 6
Name: Spyware
Type: REG_DWORD
Data: 0x0

Value 7
Name: PattnExt
Type: REG_DWORD
Data: 0x0

Value 8
Name: ExtractFileSizeLimit
Type: REG_DWORD
Data: 0xffffffff

Value 9
Name: ExcludeExt
Type: REG_SZ
Data:

Value 10
Name: EncodeBackup
Type: REG_DWORD
Data: 0x1

Value 11
Name: ActiveAction
Type: REG_DWORD
Data: 0x1

Value 12
Name: Action2nd
Type: REG_DWORD
Data: 0x2

Value 13
Name: <NO NAME>
Type: REG_SZ
Data:

Value 14
Name: Action
Type: REG_DWORD
Data: 0x3

Value 15
Name: ActiveScan
Type: REG_DWORD
Data: 0x0

Value 16
Name: BootScan
Type: REG_DWORD
Data: 0x1

Value 17
Name: MoveDirectory2nd
Type: REG_SZ
Data: C:\Program Files\Trend Micro\Internet Security 12\QUARANTINE

Value 18
Name: AutoClose
Type: REG_DWORD
Data: 0x1

Value 19
Name: LastTScanTaskName
Type: REG_SZ
Data:

Value 20
Name: MoveDirectory
Type: REG_SZ
Data: C:\Program Files\Trend Micro\Internet Security 12\QUARANTINE

Value 21
Name: FileScanThreadPriority
Type: REG_DWORD
Data: 0x1

Value 22
Name: FileTypeList
Type: REG_SZ
Data: .{*.ARJ.BAT.BIN.BOO.CAB.CHM.CLA.CLASS.COM.DAT.DLL.DOC.DOT.DRV.EML.EXE.GZ.HLP.HTA.HTM.HTML.HTT.INI.JAR.JS.JSE.LNK.LZH.MDB.MPP.MPT.MSG.MSO.NWS.OCX.OFT.OVL.PHP.PIF.PL.POT.PPS.PPT.PRC.RAR.REG.RTF.SCR.SHS.SYS.TAR.VBE.VBS.VSD.VST.VXD.WSF.XLA.XLS.XLT.XML.Z.ZIP

Value 23
Name: ExtractFileCountLimit
Type: REG_DWORD
Data: 0x0

Value 24
Name: CleanBackup
Type: REG_DWORD
Data: 0x1

Value 25
Name: LastMScanFinished
Type: REG_DWORD
Data: 0x0

Value 26
Name: LastMScanMethod
Type: REG_DWORD
Data: 0x0

Value 27
Name: LastMScanStartTime
Type: REG_SZ
Data:

Value 28
Name: LastMScanEndTime
Type: REG_SZ
Data:

Value 29
Name: GenericMacro
Type: REG_DWORD
Data: 0x1

Value 30
Name: LastTScanFinished
Type: REG_DWORD
Data: 0x0

Value 31
Name: LastTScanMethod
Type: REG_DWORD
Data: 0x0

Value 32
Name: LastTScanStartTime
Type: REG_SZ
Data:

Value 33
Name: LastTScanEndTime
Type: REG_SZ
Data:

Value 34
Name: LastMScanTaskName
Type: REG_SZ
Data:

Value 35
Name: AllFile
Type: REG_DWORD
Data: 0x1

Value 36
Name: FastScan
Type: REG_DWORD
Data: 0x0

Value 37
Name: SpyThreats
Type: REG_DWORD
Data: 0x0

Value 38
Name: EnableTmdShell
Type: REG_DWORD
Data: 0x1


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Menu
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: SetMenu
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Misc
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: ExcludeExt
Type: REG_SZ
Data:


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\NVAlert
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: WaitTime
Type: REG_DWORD
Data: 0x4e20

Value 1
Name: AlertPopup
Type: REG_DWORD
Data: 0x1

Value 2
Name: EmergencyLock
Type: REG_DWORD
Data: 0x0

Value 3
Name: EnableGSS
Type: REG_DWORD
Data: 0x1


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\OBAlert
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: ID
Type: REG_SZ
Data:

Value 1
Name: SERVER
Type: REG_SZ
Data:

Value 2
Name: Port
Type: REG_DWORD
Data: 0x50

Value 3
Name: Proxy
Type: REG_DWORD
Data: 0x0

Value 4
Name: Interval
Type: REG_DWORD
Data: 0x3c

Value 5
Name: EnableScheduled
Type: REG_DWORD
Data: 0x1

Value 6
Name: Socks
Type: REG_DWORD
Data: 0x0

Value 7
Name: PX2JZ
Type: REG_BINARY
Data:
00000000 8a b9 f6 ab fd 3d 7a 55 - d6 d0 f8 c2 dc b9 74 97 .=zUܹt.
00000010 00 2e fb 4c 70 07 91 4d - 89 7c bc 75 e1 6a ad 84 ..Lp..M.|uj.
00000020 9a 56 12 76 c9 27 51 96 - 7f 3a 49 f1 93 4a b8 9f .V.v'Q..:I.J.
00000030 78 2e 98 63 1e 8d 38 1f - 05 c0 f6 b9 cd ae 9e 3b x..c..8..ͮ.;
00000040 b7 99 71 80 44 cc c8 13 - 82 3a 2b 65 4a 47 4a bc .q.D..:+eJGJ
00000050 97 1c 37 e2 7e fd f7 4f - 17 5c 38 05 c6 c5 f0 3f ..7~O.\8.?
00000060 7f 7d 55 2e 01 8e 1c ea - 22 c0 1b 5a 8a 6a af 83 .}U....".Z.j.
00000070 7b a3 a1 16 0d dc 36 a3 - 21 82 36 6c 14 66 63 b9 {..6!.6l.fc
00000080 9e 02 0d c4 00 ec 25 de - 20 87 51 f5 f6 a8 fc 53 ....% .QS
00000090 38 fc e3 a6 69 85 a7 13 - fe 09 8e 48 8a 9d 29 a1 8i.. .H..)
000000a0 89 3c 9a e5 8e 18 ee ce - 95 73 46 0b 95 fd 18 36 .<....sF...6
000000b0 63 1a 3d 9b d7 41 58 eb - 5a fd 1e 94 6b 80 44 f5 c.=.AXZ..k.D
000000c0 90 5f f1 45 d3 f7 5b 2f - a6 99 e3 a7 c2 fc 4d c8 ._E[/.M
000000d0 0d d8 d8 fa ca 73 24 36 - 7b 1f 69 6d 02 aa 32 f2 .s$6{.im.2
000000e0 df 8d a8 49 f5 29 dd f4 - f4 56 70 f3 c4 c5 db 28 .I)Vp(
000000f0 8f af 59 8c 24 cb a6 6d - 88 46 a4 93 e5 d5 cf a3 .Y.$˦m.F.ϣ



Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Proxy
Class Name: <NO CLASS>
Last Write Time: 12/25/2005 - 11:30 PM
Value 0
Name: PX2JZ
Type: REG_BINARY
Data:
00000000 8a b9 f6 ab fd 3d 7a 55 - d6 d0 f8 c2 dc b9 74 97 .=zUܹt.
00000010 00 2e fb 4c 70 07 91 4d - 89 7c bc 75 e1 6a ad 84 ..Lp..M.|uj.
00000020 9a 56 12 76 c9 27 51 96 - 7f 3a 49 f1 93 4a b8 9f .V.v'Q..:I.J.
00000030 78 2e 98 63 1e 8d 38 1f - 05 c0 f6 b9 cd ae 9e 3b x..c..8..ͮ.;
00000040 b7 99 71 80 44 cc c8 13 - 82 3a 2b 65 4a 47 4a bc .q.D..:+eJGJ
00000050 97 1c 37 e2 7e fd f7 4f - 17 5c 38 05 c6 c5 f0 3f ..7~O.\8.?
00000060 7f 7d 55 2e 01 8e 1c ea - 22 c0 1b 5a 8a 6a af 83 .}U....".Z.j.
00000070 7b a3 a1 16 0d dc 36 a3 - 21 82 36 6c 14 66 63 b9 {..6!.6l.fc
00000080 9e 02 0d c4 00 ec 25 de - 20 87 51 f5 f6 a8 fc 53 ....% .QS
00000090 38 fc e3 a6 69 85 a7 13 - fe 09 8e 48 8a 9d 29 a1 8i.. .H..)
000000a0 89 3c 9a e5 8e 18 ee ce - 95 73 46 0b 95 fd 18 36 .<....sF...6
000000b0 63 1a 3d 9b d7 41 58 eb - 5a fd 1e 94 6b 80 44 f5 c.=.AXZ..k.D
000000c0 90 5f f1 45 d3 f7 5b 2f - a6 99 e3 a7 c2 fc 4d c8 ._E[/.M
000000d0 0d d8 d8 fa ca 73 24 36 - 7b 1f 69 6d 02 aa 32 f2 .s$6{.im.2
000000e0 df 8d a8 49 f5 29 dd f4 - f4 56 70 f3 c4 c5 db 28 .I)Vp(
000000f0 8f af 59 8c 24 cb a6 6d - 88 46 a4 93 e5 d5 cf a3 .Y.$˦m.F.ϣ


Value 1
Name: Proxy
Type: REG_DWORD
Data: 0x0

Value 2
Name: SERVER
Type: REG_SZ
Data:

Value 3
Name: Port
Type: REG_DWORD
Data: 0x50

Value 4
Name: ID
Type: REG_SZ
Data:

Value 5
Name: Socks
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\PurgeLog
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: EnableScheduled
Type: REG_DWORD
Data: 0x1

Value 1
Name: PurgeDays
Type: REG_DWORD
Data: 0x1e


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Quarantine
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: FirstTime
Type: REG_DWORD
Data: 0x0

Value 1
Name: CancelTime
Type: REG_DWORD
Data: 0x0

Value 2
Name: ShowGuide
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\RealTimeAgent
Class Name: <NO CLASS>
Last Write Time: 12/25/2005 - 12:54 PM
Value 0
Name: StatusMonitorInterval
Type: REG_DWORD
Data: 0x3e8

Value 1
Name: LogPurgeInterval
Type: REG_DWORD
Data: 0x36ee80

Value 2
Name: EnableEULA
Type: REG_DWORD
Data: 0x0

Value 3
Name: StatusEULA
Type: REG_DWORD
Data: 0x1010101


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\RealTimeScan
Class Name: <NO CLASS>
Last Write Time: 8/18/2007 - 3:42 PM
Value 0
Name: ScriptTrap
Type: REG_DWORD
Data: 0x1

Value 1
Name: ZipScanOnOff
Type: REG_DWORD
Data: 0x0

Value 2
Name: UserName
Type: REG_SZ
Data: Josh

Value 3
Name: TSC
Type: REG_DWORD
Data: 0x1

Value 4
Name: Spyware
Type: REG_DWORD
Data: 0x1

Value 5
Name: ExtractFileCountLimit
Type: REG_DWORD
Data: 0x0

Value 6
Name: ActiveScan
Type: REG_DWORD
Data: 0x0

Value 7
Name: ActiveAction
Type: REG_DWORD
Data: 0x1

Value 8
Name: Action
Type: REG_DWORD
Data: 0x3

Value 9
Name: Action2nd
Type: REG_DWORD
Data: 0x2

Value 10
Name: AllFile
Type: REG_DWORD
Data: 0x1

Value 11
Name: CleanBackup
Type: REG_DWORD
Data: 0x1

Value 12
Name: ZipScan
Type: REG_DWORD
Data: 0x1

Value 13
Name: ZipClean
Type: REG_DWORD
Data: 0x1

Value 14
Name: MoveDirectory
Type: REG_SZ
Data: C:\Program Files\Trend Micro\Internet Security 12\QUARANTINE

Value 15
Name: MoveDirectory2nd
Type: REG_SZ
Data: C:\Program Files\Trend Micro\Internet Security 12\QUARANTINE

Value 16
Name: FileTypeList
Type: REG_SZ
Data: .{*.ARJ.BAT.BIN.BOO.CAB.CHM.CLA.CLASS.COM.DAT.DLL.DOC.DOT.DRV.EML.EXE.GZ.HLP.HTA.HTM.HTML.HTT.INI.JAR.JS.JSE.LNK.LZH.MDB.MPP.MPT.MSG.MSO.NWS.OCX.OFT.OVL.PHP.PIF.PL.POT.PPS.PPT.PRC.RAR.REG.RTF.SCR.SHS.SYS.TAR.VBE.VBS.VSD.VST.VXD.WSF.XLA.XLS.XLT.XML.Z.ZIP

Value 17
Name: RenameExt
Type: REG_SZ
Data: .VIR

Value 18
Name: InOut
Type: REG_DWORD
Data: 0xf

Value 19
Name: IOScan
Type: REG_DWORD
Data: 0x1

Value 20
Name: Update
Type: REG_DWORD
Data: 0x0

Value 21
Name: PattnExt
Type: REG_DWORD
Data: 0x1

Value 22
Name: GenericMacro
Type: REG_DWORD
Data: 0x1

Value 23
Name: ExtractFileSizeLimit
Type: REG_DWORD
Data: 0xffffffff

Value 24
Name: MonitorNetwork
Type: REG_DWORD
Data: 0x1

Value 25
Name: EncodeBackup
Type: REG_DWORD
Data: 0x1

Value 26
Name: DefaultExtension
Type: REG_SZ
Data: .{*.ACCDB.ACE.AMG.ARJ.BAT.BIN.BOO.BOX.BZ2.CAB.CDR.CDT.CHM.CLA.CLASS.COM.CPT.CSC.DLL.DOC.DOCM.DOCX.DOT.DOTM.DOTX.DRV.DVB.DWG.DWT.EML.EPOC.EXE.GMS.GZ.HLP.HTA.HTM.HTML.HTT.INI.JAR.JPEG.JPG.JS.JSE.JTD.JTT.LNK.LZH.MDB.MPD.MPP.MPT.MSG.MSI.MSO.MST.NWS.OBD.OCX.OFT.OVL.PDF.PHP.PIF.PL.PM.POT.POTM.POTX.PPAM.PPS.PPSM.PPSX.PPT.PPTM.PPTX.PRC.QPW.RAR.REG.RTF.SCR.SHS.SHW.SIS.SIT.SWF.SYS.TAR.VBE.VBS.VSD.VSS.VST.VXD.WMF.WML.WPD.WPT.WSF.XLA.XLAM.XLS.XLSB.XLSM.XLSX.XLT.XLTM.XLTX.XML.Z.ZIP

Value 27
Name: SpyThreats
Type: REG_DWORD
Data: 0x4c


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\ScanInfo
Class Name: <NO CLASS>
Last Write Time: 5/10/2010 - 4:40 PM
Value 0
Name: LastScanType
Type: REG_DWORD
Data: 0x0

Value 1
Name: LastScanFile
Type: REG_SZ
Data: C:\Documents and Settings\Josh\Recent\Local Disk ©.lnk

Value 2
Name: LastDetectType
Type: REG_DWORD
Data: 0x0

Value 3
Name: LastDetectTime
Type: REG_DWORD
Data: 0x4be68e17

Value 4
Name: LastDetectFile
Type: REG_SZ
Data: C:\Program Files\WinRAR\winrar3.6x.multilanguage-patch.exe

Value 5
Name: LastDetectVirus
Type: REG_SZ
Data: CRCK_WINRAR.I

Value 6
Name: LastScanTime
Type: REG_DWORD
Data: 0x44f8bc36


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Support
Class Name: <NO CLASS>
Last Write Time: 8/9/2007 - 2:03 AM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data:

Value 1
Name: data
Type: REG_BINARY
Data:
00000000 2d ff eb 41 9f eb 4f ec - ac c4 59 47 25 c4 ee a8 -A.OYG%


Value 2
Name: result
Type: REG_BINARY
Data:
00000000 0b 73 22 e8 1e 11 8a 21 - 23 c4 69 95 99 3d 04 7c .s"...!#i..=.|
00000010 59 50 07 5b de 7f a6 8f - cc a0 9a 08 a7 71 db de YP.[..̠..q



Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\System
Class Name: <NO CLASS>
Last Write Time: 10/19/2006 - 12:06 AM
Value 0
Name: param
Type: REG_BINARY
Data:
00000000 52 55 52 5c 56 4b 7a 77 - 28 4e 56 54 50 57 0c 02 RUR\VKzw(NVTPW..


Value 1
Name: data
Type: REG_BINARY
Data:
00000000 4f b5 8b e1 af 63 e3 e4 - 71 9e f1 2e 51 de a5 94 O.cq..Qޥ.


Value 2
Name: option
Type: REG_BINARY
Data:
00000000 d7 43 4e 6e f6 f4 86 c2 - b0 58 53 3b f5 e9 f0 0e CNn.°XS;.
00000010 90 a3 d0 29 21 60 7d 0b - a6 d9 66 41 f2 d3 21 6a .)!`}.fA!j
00000020 a4 e8 17 21 7e f3 fb 0c - 3f fd d7 40 79 3b 80 e2 .!~.?@y;.
00000030 83 b1 4c ee 42 7e ad f8 - 8d 1b 3f 63 34 b1 ec 7d .LB~..?c4}
00000040 24 68 7b 53 e7 a9 91 52 - 46 f9 93 5b 4e 5b ba ce $h{S.RF.[N[
00000050 55 34 65 ee 4a 66 fc 8c - 37 d9 a9 dd 46 cb 6f b1 U4eJf.7٩Fo
00000060 5a a9 6c 90 b3 c0 d7 d4 - e6 91 c2 eb 7f 83 d1 d8 Zl....
00000070 7d 90 c6 41 e3 a8 35 2f - bb 2d 8c 63 72 b2 59 36 }.A5/-.crY6
00000080 80 e6 87 a9 f0 63 09 53 - bc a5 d3 79 61 52 b1 82 ..c SyaR.
00000090 08 3d 3e 40 d6 25 eb bd - 9c cc 61 56 9a 20 f0 72 .=>@%.aV. r
000000a0 8d 09 7a d0 98 67 8b ae - 51 c0 08 0a c2 0b 0b 88 . z.g.Q.....
000000b0 45 c0 0a 36 80 f0 ec 42 - 4a 33 7c 44 95 29 f6 bc E.6.BJ3|D.)
000000c0 51 1f 53 3c b1 4e e6 06 - 86 ee 49 90 a4 53 0a c2 Q.S<N..I.S.
000000d0 83 72 18 57 4f 86 44 b1 - e3 25 ed 26 a5 1f 3a d3 .r.WO.D%&.:
000000e0 4a 7d 49 a2 87 50 28 ab - a3 2b f0 cc 2f bd 49 20 J}I.P(+/I
000000f0 0d fa 61 0f 17 f7 c9 00 - d8 b1 c6 70 92 64 ca c0 .a...رp.d
00000100 9b 43 74 15 c7 e5 6e c8 - 42 f3 bb 26 57 15 af 98 .Ct.nB&W..



Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\TappingScan
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: EnableScheduled
Type: REG_DWORD
Data: 0x0

Value 1
Name: Interval
Type: REG_DWORD
Data: 0x1e


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\TSC
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: ExecuteMode
Type: REG_DWORD
Data: 0x10001

Value 1
Name: DisableConsoleOutput
Type: REG_DWORD
Data: 0x1

Value 2
Name: DisableDebugOutput
Type: REG_DWORD
Data: 0x1

Value 3
Name: DisableReportOutput
Type: REG_DWORD
Data: 0x1

Value 4
Name: ShowNoVirusMsg
Type: REG_DWORD
Data: 0x0

Value 5
Name: DetachConsole
Type: REG_DWORD
Data: 0x0

Value 6
Name: ShowVirusMsg
Type: REG_DWORD
Data: 0x0

Value 7
Name: DebugInfoLevel
Type: REG_DWORD
Data: 0x0

Value 8
Name: BackupFile
Type: REG_DWORD
Data: 0x1

Value 9
Name: BackupFileNumber
Type: REG_DWORD
Data: 0x3

Value 10
Name: AssessmentMode
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Update
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: Day
Type: REG_DWORD
Data: 0x0

Value 1
Name: Month
Type: REG_DWORD
Data: 0x0

Value 2
Name: Year
Type: REG_DWORD
Data: 0x0

Value 3
Name: UserAgent
Type: REG_SZ
Data: TMhtload/1.31.00.1712

Value 4
Name: ComponentVS
Type: REG_DWORD
Data: 0x1

Value 5
Name: ComponentTSC
Type: REG_DWORD
Data: 0x1

Value 6
Name: ComponentVA
Type: REG_DWORD
Data: 0x1

Value 7
Name: ComponentPFW
Type: REG_DWORD
Data: 0x1

Value 8
Name: ComponentSpyware
Type: REG_DWORD
Data: 0x1

Value 9
Name: ComponentAntiSpam
Type: REG_DWORD
Data: 0x1

Value 10
Name: ComponentProgram
Type: REG_DWORD
Data: 0x1


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\VA
Class Name: <NO CLASS>
Last Write Time: 8/10/2007 - 10:00 PM
Value 0
Name: ExecuteMode
Type: REG_DWORD
Data: 0x10001

Value 1
Name: LastCount
Type: REG_DWORD
Data: 0xe4

Value 2
Name: DisableConsoleOutput
Type: REG_DWORD
Data: 0x1

Value 3
Name: DisableDebugOutput
Type: REG_DWORD
Data: 0x1

Value 4
Name: DisableReportOutput
Type: REG_DWORD
Data: 0x1

Value 5
Name: ShowNoVirusMsg
Type: REG_DWORD
Data: 0x0

Value 6
Name: ShowVirusMsg
Type: REG_DWORD
Data: 0x0

Value 7
Name: DebugInfoLevel
Type: REG_DWORD
Data: 0x0

Value 8
Name: BackupFile
Type: REG_DWORD
Data: 0x1

Value 9
Name: DetachConsole
Type: REG_DWORD
Data: 0x0

Value 10
Name: BackupFileNumber
Type: REG_DWORD
Data: 0x3

Value 11
Name: AssessmentMode
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PFW
Class Name: <NO CLASS>
Last Write Time: 10/19/2006 - 2:43 PM
Value 0
Name: RulePath
Type: REG_SZ
Data: C:\Program Files\Trend Micro\Internet Security 12\PFW\

Value 1
Name: Control
Type: REG_DWORD
Data: 0x1

Value 2
Name: ProductName
Type: REG_SZ
Data: Trend Micro PC-cillin Internet Security (Firewall)

Value 3
Name: CompanyName
Type: REG_SZ
Data: Trend Micro, Inc.

Value 4
Name: ProductVersion
Type: REG_SZ
Data: 12

Value 5
Name: ServiceDesc
Type: REG_SZ
Data: Manages the Trend Micro Personal Firewall.

Value 6
Name: Status
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PFW\FireWall
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: Control
Type: REG_DWORD
Data: 0x1


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TMAS
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TMAS\OE_OEM
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: {95D9B4D8-B091-4fab-80EA-313EB4B82FD6}

Value 1
Name: Home
Type: REG_SZ
Data: C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\

Value 2
Name: Ver
Type: REG_SZ
Data: 3.5.1113


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TMAS\OL_OEM
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:06 AM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: {EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}

Value 1
Name: Home
Type: REG_SZ
Data: C:\Program Files\Trend Micro\Internet Security 12\TMAS_OL\

Value 2
Name: Ver
Type: REG_SZ
Data: 3.5.1113


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: TempPath
Type: REG_SZ
Data: C:\Program Files\Trend Micro\Internet Security 12\TmpxTmp\

Value 1
Name: InstallPath
Type: REG_SZ
Data: C:\Program Files\Trend Micro\Internet Security 12\

Value 2
Name: LogPath
Type: REG_SZ
Data: C:\Program Files\Trend Micro\Internet Security 12\log\

Value 3
Name: ProxyPort
Type: REG_DWORD
Data: 0x1b57

Value 4
Name: ErrTitle
Type: REG_SZ
Data: Trend Micro

Value 5
Name: ErrText
Type: REG_SZ
Data: The TmProxy module experienced a critical error. Please reinstall the program: internal error:


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\http
Class Name: <NO CLASS>
Last Write Time: 10/19/2006 - 2:43 PM
Value 0
Name: enable
Type: REG_DWORD
Data: 0x0

Value 1
Name: scan
Type: REG_SZ
Data: http

Value 2
Name: filename
Type: REG_SZ
Data: TmphHttp.dll

Value 3
Name: type
Type: REG_DWORD
Data: 0x3


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\http\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: MaxHeaderCount
Type: REG_DWORD
Data: 0x64

Value 1
Name: MaxRequestBodyScanSize
Type: REG_DWORD
Data: 0x400

Value 2
Name: MaxResponseBodyScanSize
Type: REG_DWORD
Data: 0x2800

Value 3
Name: MaxLineSize
Type: REG_DWORD
Data: 0x1ffe

Value 4
Name: TargetRequestMethods
Type: REG_SZ
Data: GET,POST

Value 5
Name: MessageBodyMemorySizeLimit
Type: REG_DWORD
Data: 0x200


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\http\redirect
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\http\redirect\AOL
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: process
Type: REG_SZ
Data: waol

Value 1
Name: port
Type: REG_DWORD
Data: 0x50


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\http\redirect\AOL11523
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: port
Type: REG_DWORD
Data: 0x2d03

Value 1
Name: process
Type: REG_SZ
Data: waol


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\http\redirect\Explorer
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: port
Type: REG_DWORD
Data: 0x50

Value 1
Name: process
Type: REG_SZ
Data: explorer


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\http\redirect\IE
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: process
Type: REG_SZ
Data: iexplore

Value 1
Name: port
Type: REG_DWORD
Data: 0x50


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\http\redirect\Netscape6
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: port
Type: REG_DWORD
Data: 0x50

Value 1
Name: process
Type: REG_SZ
Data: netscp6


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\http\redirect\Netscape7
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: process
Type: REG_SZ
Data: Netscp

Value 1
Name: port
Type: REG_DWORD
Data: 0x50


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\icq
Class Name: <NO CLASS>
Last Write Time: 10/19/2006 - 2:43 PM
Value 0
Name: scan
Type: REG_SZ
Data: im

Value 1
Name: enable
Type: REG_DWORD
Data: 0x0

Value 2
Name: filename
Type: REG_SZ
Data: TmphIcq.dll

Value 3
Name: type
Type: REG_DWORD
Data: 0x5


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\icq\redirect
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\icq\redirect\icq-in
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: process
Type: REG_SZ
Data: icq

Value 1
Name: port
Type: REG_DWORD
Data: 0x0

Value 2
Name: direction
Type: REG_DWORD
Data: 0x1

Value 3
Name: flag
Type: REG_DWORD
Data: 0x2


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\icq\redirect\icq-out
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: process
Type: REG_SZ
Data: icq

Value 1
Name: port
Type: REG_DWORD
Data: 0x0

Value 2
Name: direction
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\msn
Class Name: <NO CLASS>
Last Write Time: 10/19/2006 - 2:43 PM
Value 0
Name: enable
Type: REG_DWORD
Data: 0x0

Value 1
Name: scan
Type: REG_SZ
Data: im

Value 2
Name: filename
Type: REG_SZ
Data: TmphMsn.dll

Value 3
Name: type
Type: REG_DWORD
Data: 0x4


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\msn\redirect
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\msn\redirect\msmsgs
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: flag
Type: REG_DWORD
Data: 0x1

Value 1
Name: process
Type: REG_SZ
Data: msmsgs

Value 2
Name: port
Type: REG_DWORD
Data: 0x747


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\msn\redirect\msmsgs80
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: process
Type: REG_SZ
Data: msmsgs

Value 1
Name: port
Type: REG_DWORD
Data: 0x50


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\msn\redirect\msnmsgr
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: flag
Type: REG_DWORD
Data: 0x1

Value 1
Name: process
Type: REG_SZ
Data: msnmsgr

Value 2
Name: port
Type: REG_DWORD
Data: 0x747


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\msn\redirect\msnmsgr80
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: process
Type: REG_SZ
Data: msnmsgr

Value 1
Name: port
Type: REG_DWORD
Data: 0x50


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\pop3
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: enable
Type: REG_DWORD
Data: 0x1

Value 1
Name: scan
Type: REG_SZ
Data: Pop3

Value 2
Name: type
Type: REG_DWORD
Data: 0x1

Value 3
Name: filename
Type: REG_SZ
Data: TmphPop3.dll


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\pop3\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: WaitTime
Type: REG_DWORD
Data: 0x0

Value 1
Name: IntervalLength
Type: REG_DWORD
Data: 0x7530

Value 2
Name: LimitSize
Type: REG_DWORD
Data: 0xc00


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\pop3\Redirect
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\pop3\Redirect\Pop3Mailer
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: process
Type: REG_SZ
Data:

Value 1
Name: port
Type: REG_DWORD
Data: 0x6e


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\smtp
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: scan
Type: REG_SZ
Data: smtp

Value 1
Name: enable
Type: REG_DWORD
Data: 0x1

Value 2
Name: filename
Type: REG_SZ
Data: TmphSMTP.dll

Value 3
Name: type
Type: REG_DWORD
Data: 0x2


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\smtp\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: WaitTime
Type: REG_DWORD
Data: 0x0

Value 1
Name: LimitSize
Type: REG_DWORD
Data: 0xc00

Value 2
Name: IntervalLength
Type: REG_DWORD
Data: 0x7530


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\smtp\redirect
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\ProtocolHandler\smtp\redirect\SmtpMailer
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: process
Type: REG_SZ
Data:

Value 1
Name: port
Type: REG_DWORD
Data: 0x19


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Common
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Common\AntiSpam
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: filename
Type: REG_SZ
Data: TmpeASpm.dll


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Common\HttpManager
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: filename
Type: REG_SZ
Data: TmsmHttp.dll


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Common\HttpManager\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: ExclusionExtensions
Type: REG_SZ
Data: doc,ppt,xls,pdf,jpg,jpeg,gif,bmp,png,mpg,mpeg,mp3,wav,wave,qt,qtm,avi,asf,asx,mov,mp4,mid,midi,swf,ram,zip,lzh,gz,tar,rar,arc,exe,cab,jar,class,ocx,js,css,dll

Value 1
Name: UrlFilterAlertFile
Type: REG_SZ
Data: UrlFAlt.htm

Value 2
Name: UrlHistoryFile
Type: REG_SZ
Data: UrlHist.log

Value 3
Name: PrivacyDataAlertFile
Type: REG_SZ
Data: PDPAlt.htm

Value 4
Name: WebMailDetectionHeaders
Type: REG_SZ
Data: HMServer:,Server:AOLServer/,Content-Description:

Value 5
Name: MaxUrlHistoryCount
Type: REG_DWORD
Data: 0x64

Value 6
Name: MaxWebMailScanSize
Type: REG_DWORD
Data: 0xc00

Value 7
Name: UrlFilterErrorFile
Type: REG_SZ
Data: UrlFErr.htm


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Common\ImManager
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: filename
Type: REG_SZ
Data: TmsmIm.dll


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Common\MailManager
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: filename
Type: REG_SZ
Data: TmsmMail.dll


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Common\MailManager\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: BytesPerEntHdr
Type: REG_DWORD
Data: 0x8000

Value 1
Name: WarningFile
Type: REG_SZ
Data: TmWarn.txt

Value 2
Name: ParamPerHdrField
Type: REG_DWORD
Data: 0x20

Value 3
Name: HdrPerEnt
Type: REG_DWORD
Data: 0x40

Value 4
Name: DisclaimerOriginalName
Type: REG_SZ
Data: original.txt

Value 5
Name: DisclaimerFile
Type: REG_SZ
Data: TmNewML.txt

Value 6
Name: EntPerMsg
Type: REG_DWORD
Data: 0x40

Value 7
Name: DisclaimerSubject
Type: REG_SZ
Data: Trend Micro PC-cillin Internet Security detected and took action on a malicious email

Value 8
Name: ExtlactLvlPerMsg
Type: REG_DWORD
Data: 0x20

Value 9
Name: EnableDisclaimer
Type: REG_DWORD
Data: 0x1

Value 10
Name: DisclaimerCharset
Type: REG_SZ
Data: us-ascii

Value 11
Name: DisclaimerAddress
Type: REG_SZ
Data: Trend Micro

Value 12
Name: AddressCacheDirection
Type: REG_DWORD
Data: 0x11

Value 13
Name: AddressCacheFile
Type: REG_SZ
Data: MailAddr.dat


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Common\PrivacyProtection
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: filename
Type: REG_SZ
Data: TmpePDP.dll


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Common\PrivacyProtection\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: filename
Type: REG_SZ
Data: TmpePDP.dll

Value 1
Name: AccessRetryCount
Type: REG_DWORD
Data: 0xa

Value 2
Name: AccessWaitTime
Type: REG_DWORD
Data: 0x32

Value 3
Name: CharSetEntry
Type: REG_DWORD
Data: 0xb

Value 4
Name: ExtCharSetEntry
Type: REG_DWORD
Data: 0x0

Value 5
Name: DefaultCharSet
Type: REG_DWORD
Data: 0x2

Value 6
Name: DataBaseName
Type: REG_SZ
Data: PDPCfg.dat

Value 7
Name: BackUpDBName
Type: REG_SZ
Data: PDPCfg.bak

Value 8
Name: ItemEntryMax
Type: REG_DWORD
Data: 0x14

Value 9
Name: ItemEntryCount
Type: REG_DWORD
Data: 0x5

Value 10
Name: ItemName00
Type: REG_SZ
Data: Name

Value 11
Name: ItemName01
Type: REG_SZ
Data: Credit card number

Value 12
Name: ItemName02
Type: REG_SZ
Data: Telephone number

Value 13
Name: ItemName03
Type: REG_SZ
Data: Login name

Value 14
Name: ItemName04
Type: REG_SZ
Data: Password

Value 15
Name: Description00
Type: REG_SZ
Data: Enter your name or other description here (optional)

Value 16
Name: Description01
Type: REG_SZ
Data: Enter a description here (optional)

Value 17
Name: Description02
Type: REG_SZ
Data: Enter a description here (optional)

Value 18
Name: Description03
Type: REG_SZ
Data: Enter a description here (optional)

Value 19
Name: Description04
Type: REG_SZ
Data: Enter a description here (optional)

Value 20
Name: ScanTarget00
Type: REG_DWORD
Data: 0x0

Value 21
Name: ScanTarget01
Type: REG_DWORD
Data: 0x0

Value 22
Name: ScanTarget02
Type: REG_DWORD
Data: 0x0

Value 23
Name: ScanTarget03
Type: REG_DWORD
Data: 0x0

Value 24
Name: ScanTarget04
Type: REG_DWORD
Data: 0x0

Value 25
Name: PrivacyData00
Type: REG_BINARY
Data:
00000000 97 83 07 20 7e d3 53 15 - b4 88 f8 ed 58 f8 6b 42 ... ~S..XkB
00000010 56 f8 eb 6a 90 ab e1 c5 - 0a 4b 6e 7b 6b e0 28 d8 Vj..Kn{k(
00000020 35 28 15 4c e2 41 5f 9c - 7d cc 4e 71 7e 4d 5a 34 5(.LA_.}Nq~MZ4


Value 26
Name: PrivacyData01
Type: REG_BINARY
Data:
00000000 e5 dd 23 a5 0e d1 9c 5e - 03 4c 09 79 1f df 4b 8b #..^.L y.K.
00000010 77 b0 8b 3c f1 a6 c4 d0 - 8d 7e 9d 38 f9 23 27 e5 w.<.~.8#'
00000020 cf c7 fc d9 44 f7 df 5a - 42 65 d3 a4 a5 f1 cd b3 DZBeӤͳ


Value 27
Name: PrivacyData02
Type: REG_BINARY
Data:
00000000 89 d2 c6 9d 61 25 a7 a8 - e3 68 e8 a6 67 f0 f9 f4 ..a%hg
00000010 30 04 42 b6 38 4f 83 5f - 06 82 ba f2 a4 f1 49 86 0.B8O._..I.
00000020 52 40 f7 7d 3e fd fe 38 - f9 b7 02 1b 56 61 23 fd R@}>8..Va#


Value 28
Name: PrivacyData03
Type: REG_BINARY
Data:
00000000 2b 32 82 55 9d c4 3e 56 - f9 65 3e b2 65 6e 07 6f +2.U.>Ve>en.o
00000010 d2 42 cd 8d a3 64 54 78 - 29 3c ee 76 1d 0c ce ee B.dTx)<v..
00000020 55 55 86 8a e9 25 c8 f6 - 29 c3 93 05 49 b6 ab a0 UU..%)..I


Value 29
Name: PrivacyData04
Type: REG_BINARY
Data:
00000000 7a e1 5b ce 77 f8 f8 62 - 84 45 42 f8 f3 3b bc a8 z[wb.EB;
00000010 87 dd cc 48 9a 97 25 a3 - 89 0a 2c b6 6e b7 35 1f .H..%..,n5.
00000020 93 08 90 98 5f 1d e6 12 - 2f f7 bb be 93 d2 c8 94 ...._../..


Value 30
Name: ExclusionItemMax
Type: REG_DWORD
Data: 0x190


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Common\URLFilter
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: filename
Type: REG_SZ
Data: TmpeURLF.dll


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Common\URLFilter\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: Mode
Type: REG_DWORD
Data: 0x0

Value 1
Name: Blacklist
Type: REG_SZ
Data: URLBlist.dat

Value 2
Name: Whitelist
Type: REG_SZ
Data: URLAlist.dat

Value 3
Name: CategoryFile
Type: REG_SZ
Data: URLCateg.dat

Value 4
Name: CategoryGroupFile
Type: REG_SZ
Data: URLGroup.dat

Value 5
Name: CategoryNameUserDefine
Type: REG_SZ
Data: User Define

Value 6
Name: CategoryNameError
Type: REG_SZ
Data: Server Lookup Error

Value 7
Name: MaxCacheEntries
Type: REG_DWORD
Data: 0x64

Value 8
Name: CacheLifetime
Type: REG_DWORD
Data: 0xe10

Value 9
Name: EnableServerLookup
Type: REG_DWORD
Data: 0x0

Value 10
Name: EnableProxy
Type: REG_DWORD
Data: 0x0

Value 11
Name: LookupServer
Type: REG_BINARY
Data:
00000000 6c d2 8d 38 70 9b 71 5c - 6f c8 6d a1 d9 59 6f 67 l.8p.q\omYog
00000010 35 80 f3 04 19 20 fe 54 - 01 13 f2 db 1c f6 bc 72 5... T...r


Value 12
Name: LookupVID
Type: REG_BINARY
Data:
00000000 bf b0 ae 3a 53 b3 9f dd - b6 2b 09 08 59 bb 5c be :S.ݶ+ .Y\


Value 13
Name: LookupLicense
Type: REG_BINARY
Data:
00000000 30 4e e4 f5 d2 f1 a1 6c - 89 69 e2 02 56 be 6b 7b 0Nl.i.Vk{


Value 14
Name: LookupTimeout
Type: REG_DWORD
Data: 0x1e

Value 15
Name: ExclusionExtensions
Type: REG_SZ
Data: jpg,jpeg,gif,bmp,png,mpg,mpeg,mp3,wav,wave,qt,qtm,avi,asf,asx,mov,mp4,mid,midi,swf,ram,cab,jar,class,ocx,js,css,crl

Value 16
Name: BlockCategoryGroups
Type: REG_BINARY
Data:

Value 17
Name: ProxyServer
Type: REG_SZ
Data:

Value 18
Name: ProxyPort
Type: REG_DWORD
Data: 0x50

Value 19
Name: ProxyUser
Type: REG_BINARY
Data:

Value 20
Name: ProxyPassword
Type: REG_BINARY
Data:


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Common\Virus
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: Filename
Type: REG_SZ
Data: TmpeVS.dll


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Common\Virus\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: Language
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\http
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\http\HttpManager
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: enable
Type: REG_DWORD
Data: 0x1


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\http\PrivacyProtection
Class Name: <NO CLASS>
Last Write Time: 10/19/2006 - 2:43 PM
Value 0
Name: logExtension
Type: REG_SZ
Data: PPG

Value 1
Name: enable
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\http\PrivacyProtection\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: SearchTableIndex
Type: REG_DWORD
Data: 0x1


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\http\URLFilter
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: LogExtension
Type: REG_SZ
Data: ULG

Value 1
Name: enable
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\http\Virus
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: enable
Type: REG_DWORD
Data: 0x0

Value 1
Name: LogExtension
Type: REG_SZ
Data: VLG


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\http\Virus\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: ZipClean
Type: REG_DWORD
Data: 0x1

Value 1
Name: ZipScan
Type: REG_DWORD
Data: 0x1

Value 2
Name: ExtractFileSizeLimit
Type: REG_DWORD
Data: 0xffffffff

Value 3
Name: ZipLayer
Type: REG_DWORD
Data: 0x1

Value 4
Name: Action2nd
Type: REG_DWORD
Data: 0x4

Value 5
Name: Action
Type: REG_DWORD
Data: 0x3


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\im
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\im\ImManager
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: enable
Type: REG_DWORD
Data: 0x1


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\im\PrivacyProtection
Class Name: <NO CLASS>
Last Write Time: 10/19/2006 - 2:43 PM
Value 0
Name: enable
Type: REG_DWORD
Data: 0x0

Value 1
Name: logExtension
Type: REG_SZ
Data: PPG


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\im\PrivacyProtection\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: SearchTableIndex
Type: REG_DWORD
Data: 0x2


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Pop3
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Pop3\AntiSpam
Class Name: <NO CLASS>
Last Write Time: 10/19/2006 - 2:44 PM
Value 0
Name: LogExtension
Type: REG_SZ
Data: ASG

Value 1
Name: enable
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Pop3\AntiSpam\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: DisabledRule
Type: REG_SZ
Data:

Value 1
Name: Blacklist
Type: REG_SZ
Data: ASPBList.dat

Value 2
Name: Whitelist
Type: REG_SZ
Data: ASPAList.dat

Value 3
Name: High
Type: REG_SZ
Data: 4

Value 4
Name: DefWhitelist
Type: REG_SZ
Data:

Value 5
Name: Sign
Type: REG_SZ
Data: spam:

Value 6
Name: Level
Type: REG_DWORD
Data: 0x1

Value 7
Name: Medium
Type: REG_SZ
Data: 5

Value 8
Name: Low
Type: REG_SZ
Data: 7


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Pop3\MailManager
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: enable
Type: REG_DWORD
Data: 0x1


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Pop3\Virus
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: logExtension
Type: REG_SZ
Data: VLG

Value 1
Name: Enable
Type: REG_DWORD
Data: 0x1


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\Pop3\Virus\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: ZipLayer
Type: REG_DWORD
Data: 0x1

Value 1
Name: ExtractFileSizeLimit
Type: REG_DWORD
Data: 0xffffffff

Value 2
Name: ZipClean
Type: REG_DWORD
Data: 0x1

Value 3
Name: Action2nd
Type: REG_DWORD
Data: 0x4

Value 4
Name: Action
Type: REG_DWORD
Data: 0x3

Value 5
Name: ZipScan
Type: REG_DWORD
Data: 0x1


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\smtp
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\smtp\MailManager
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: enable
Type: REG_DWORD
Data: 0x1


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\smtp\PrivacyProtection
Class Name: <NO CLASS>
Last Write Time: 10/19/2006 - 2:43 PM
Value 0
Name: Enable
Type: REG_DWORD
Data: 0x0

Value 1
Name: logExtension
Type: REG_SZ
Data: PPG


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\smtp\PrivacyProtection\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: SearchTableIndex
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\smtp\Virus
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: enable
Type: REG_DWORD
Data: 0x1

Value 1
Name: LogExtension
Type: REG_SZ
Data: VLG


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TmProxy\Scan\smtp\Virus\config
Class Name: <NO CLASS>
Last Write Time: 12/19/2005 - 9:07 AM
Value 0
Name: ZipLayer
Type: REG_DWORD
Data: 0x1

Value 1
Name: Action2nd
Type: REG_DWORD
Data: 0x65

Value 2
Name: ZipScan
Type: REG_DWORD
Data: 0x1

Value 3
Name: ZipClean
Type: REG_DWORD
Data: 0x1

Value 4
Name: ExtractFileSizeLimit
Type: REG_DWORD
Data: 0xffffffff

Value 5
Name: Action
Type: REG_DWORD
Data: 0x3




#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 PM

Posted 11 May 2010 - 05:34 PM

Hello, Plexi.
OK, this may take a few tries...there's lots of info out there, but we'll have to sort through it.




Step 1

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.



Step 2

Launch regedit.exe and navigate to this key:

HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\System

Click on the 'system' folder in this path on the left pane of Registry Editor, select rename and change it to "systemBACKUP".

Close registry editor.

Reboot

Then try to uninstall it. Success?

etavares

Edited by etavares, 11 May 2010 - 05:34 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 Plexi

Plexi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 11 May 2010 - 07:01 PM

Looks like that worked.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users