Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirects


  • This topic is locked This topic is locked
23 replies to this topic

#1 Mockup

Mockup

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 07 May 2010 - 07:38 AM

Three days ago my computer became infected by a rogue spyware program that began running on my desktop. I shut down, rebooted and was able to get into System Restore. This killed the rogue spyware program, but searches on some keywords (not all) are redirected to cheesy search sites at random (I don't think I've seen the same site twice). Occasionally a new browser window will pop up unasked with a similar cheesy site. I ran Malwarebytes and it disn't find anything. I ran Super Antispyware and it found and cleaned a few things on an external hard drive, but nothing on the C Drive.

Any help would be much appreciated.

DDs log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Paul Model at 14:56:23.96 on Thu 05/06/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.302 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe
C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Documents and Settings\Paul Model\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\GFI\GFIBAC~1\GFIAgent.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Paul Model\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [GFI Backup 2009 - Home Edition] "c:\progra~1\gfi\gfibac~1\GFIAgent.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [<NO NAME>]
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\orderreminder\OrderReminder.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [MXOBG] c:\documents and settings\paul model\local settings\temp\{231f68f4-70e4-41a6-beda-7e7934169b54}\MXOALDR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231963661265
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231963654140
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-17 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-1-14 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-17 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-4-27 61440]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-24 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-17 297752]
R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\gfi\gfibac~1\GFIHInst.exe [2009-10-27 440616]
R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\gfi\gfibac~1\GFIHSC~1.EXE [2009-10-27 1410856]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-1-16 47640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-05-06 18:52:55 0 ----a-w- c:\documents and settings\paul model\defogger_reenable
2010-05-06 14:03:17 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-06 14:02:54 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-06 14:02:53 0 d-----w- c:\docume~1\paulmo~1\applic~1\SUPERAntiSpyware.com
2010-05-06 14:02:24 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-06 12:19:13 0 d-----w- c:\program files\CCleaner
2010-05-04 20:21:15 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-30 19:07:05 0 d--h--w- C:\$AVG8.VAULT$

==================== Find3M ====================

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 14:52:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-01-14 20:57:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011420090115\index.dat

============= FINISH: 14:57:27.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:23 AM

Posted 07 May 2010 - 07:41 PM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


+++++++++++++++++++++++++++++++


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


Edited by sempai, 07 May 2010 - 08:09 PM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Mockup

Mockup
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 08 May 2010 - 07:46 AM

Sempai-

Thank you for your prompt response. I will be away from the sick computer until tomorrow morning my time. I will run Combofix and respond then.

Regards,

Mockup



#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:23 AM

Posted 08 May 2010 - 07:50 AM

Alright, no problem and thanks for letting me know.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Mockup

Mockup
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 09 May 2010 - 10:07 AM

Sempai-

Combofix ran successfully and I have rebooted. I tried four or five of the search terms that had been redirected in Google and the redirects were gone. Combofix log below. Thanks again for your help.

Regards,

Mockup

ComboFix 10-05-08.03 - Paul Model 05/09/2010 10:38:49.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.655 [GMT -4:00]
Running from: c:\documents and settings\Paul Model\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Paul Model\g2ax_customer_downloadhelper_win32_x86.exe
E:\Autorun.inf

Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-08 11:56 . 2010-05-08 12:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-05-07 13:59 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-07 13:09 . 2010-05-07 13:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-06 14:04 . 2010-05-06 14:04 63488 ----a-w- c:\documents and settings\Paul Model\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-06 14:04 . 2010-05-06 14:04 52224 ----a-w- c:\documents and settings\Paul Model\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-06 14:04 . 2010-05-07 13:53 117760 ----a-w- c:\documents and settings\Paul Model\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-06 14:03 . 2010-05-06 14:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-06 14:02 . 2010-05-06 14:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-06 14:02 . 2010-05-06 14:02 -------- d-----w- c:\documents and settings\Paul Model\Application Data\SUPERAntiSpyware.com
2010-05-06 14:02 . 2010-05-06 14:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-06 12:19 . 2010-05-06 12:19 -------- d-----w- c:\program files\CCleaner
2010-05-04 20:21 . 2010-05-04 20:21 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-30 19:07 . 2010-05-06 15:47 -------- d-----w- C:\$AVG8.VAULT$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-09 12:06 . 2009-01-16 15:04 -------- d-----w- c:\program files\LogMeIn
2010-05-08 11:57 . 2009-04-22 18:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-07 13:59 . 2008-01-14 21:43 -------- d-----w- c:\program files\Java
2010-05-04 20:28 . 2010-03-29 20:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-04 20:28 . 2010-05-04 20:28 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-29 19:39 . 2010-03-29 20:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-03-29 20:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 14:52 . 2008-01-14 21:43 -------- d-----w- c:\program files\Common Files\Java
2010-03-29 20:01 . 2010-03-29 20:01 -------- d-----w- c:\documents and settings\Paul Model\Application Data\Malwarebytes
2010-03-29 20:01 . 2010-03-29 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\25377\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\25377\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\25377\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\25377\AcrobatUpdater.exe
2010-03-11 12:38 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 10:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2004-08-04 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2005-03-30 01:23 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-30 01:01 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 10:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 10:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GFI Backup 2009 - Home Edition"="c:\progra~1\GFI\GFIBAC~1\GFIAgent.exe" [2009-10-22 1839912]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-27 2020592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2009-01-14 98304]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 823296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 12:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 15:06 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/17/2008 2:52 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/17/2008 2:52 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 61440]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/24/2009 8:59 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/17/2008 2:52 PM 297752]
R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\GFI\GFIBAC~1\GFIHInst.exe [10/27/2009 11:23 AM 440616]
R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\GFI\GFIBAC~1\GFIHSC~1.EXE [10/27/2009 11:23 AM 1410856]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 7:46 PM 12856]
.
Contents of the 'Scheduled Tasks' folder

2010-05-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 10:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-05-09 10:55:04
ComboFix-quarantined-files.txt 2010-05-09 14:55

Pre-Run: 53,198,671,872 bytes free
Post-Run: 53,394,313,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D38DE0D2EB33EF83EE90ABC4099DC8AE


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:23 AM

Posted 09 May 2010 - 11:12 AM

Hi,

Looks good.


+++++++++++++++++++++++


1. Download TFC (Temp File Cleaner) to your desktop.
  • Close any other windows.
  • Double click the TFC icon to run the program.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once it's finished it should reboot your machine, if not, do this yourself to ensure a complete clean.
Note: TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.



2. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .
Note: Kaspersky online scan may take time to complete, please be patient.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Mockup

Mockup
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 09 May 2010 - 01:21 PM

Thanks Sempai. I am hoping to get the new scans to you tomorrow night my time.

Regards,

Mockup

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:23 AM

Posted 10 May 2010 - 08:01 AM

thumbup2.gif

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Mockup

Mockup
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 11 May 2010 - 07:39 AM

Hi Sempai-

Sorry I'm late, but Kapersky took eight hours. Log below. TFC ran sucessfully and the computer is now faster that it was before the infection.

A word on the Kaspersky log below: You will see some items in a TrendMicro virus vault on the F drive. I haven't used TrendMicro for years. The F drive used to be the C drive of another computer, which is where the TrendMicro files come from. I'm happy to delete anything you tell me to, I just didn't want to confuse you.


Regards,

Mockup

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, May 11, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, May 10, 2010 13:20:02
Records in database: 4090753
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 248762
Threats found: 16
Infected objects found: 70
Suspicious objects found: 30
Scan duration: 08:18:12


File name / Threat / Threats count
C:\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Sasfis.albj 1
C:\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Inject.aoqh 1
C:\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Inject.aowv 1
C:\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Packed.Win32.Krap.an 1
C:\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Agent2.lkr 1
C:\Documents and Settings\Paul Model\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.ayt 1
C:\Documents and Settings\Paul Model\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.bce 1
C:\Documents and Settings\Paul Model\My Documents\Outlook Express\Inbox 2 09 to 8 09.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
E:\GFI\Backup 1 April 28, 2010 (03.01.21)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Sasfis.albj 1
E:\GFI\Backup 1 April 28, 2010 (03.01.21)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Inject.aoqh 1
E:\GFI\Backup 1 April 28, 2010 (03.01.21)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Inject.aowv 1
E:\GFI\Backup 1 April 28, 2010 (03.01.21)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Packed.Win32.Krap.an 1
E:\GFI\Backup 1 April 28, 2010 (03.01.21)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.ayt 1
E:\GFI\Backup 1 April 28, 2010 (03.01.21)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.bce 1
E:\GFI\Backup 1 April 28, 2010 (03.01.21)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Inbox 2 09 to 8 09.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
E:\GFI\Backup 1 April 29, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Sasfis.albj 1
E:\GFI\Backup 1 April 29, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Inject.aoqh 1
E:\GFI\Backup 1 April 29, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Inject.aowv 1
E:\GFI\Backup 1 April 29, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Packed.Win32.Krap.an 1
E:\GFI\Backup 1 April 29, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.ayt 1
E:\GFI\Backup 1 April 29, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.bce 1
E:\GFI\Backup 1 April 29, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Inbox 2 09 to 8 09.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
E:\GFI\Backup 1 April 30, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Sasfis.albj 1
E:\GFI\Backup 1 April 30, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Inject.aoqh 1
E:\GFI\Backup 1 April 30, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Inject.aowv 1
E:\GFI\Backup 1 April 30, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Packed.Win32.Krap.an 1
E:\GFI\Backup 1 April 30, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Agent2.lkr 1
E:\GFI\Backup 1 April 30, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.ayt 1
E:\GFI\Backup 1 April 30, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.bce 1
E:\GFI\Backup 1 April 30, 2010 (03.01.27)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Inbox 2 09 to 8 09.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
E:\GFI\Backup 1 May 01, 2010 (03.01.42)\C\Documents and Settings\Paul Model\Application Data\Sun\Java\Deployment\cache\6.0\19\2cb27513-57428270 Infected: Trojan-Downloader.Java.Agent.cf 1
E:\GFI\Backup 1 May 01, 2010 (03.01.42)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Sasfis.albj 1
E:\GFI\Backup 1 May 01, 2010 (03.01.42)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Inject.aoqh 1
E:\GFI\Backup 1 May 01, 2010 (03.01.42)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Inject.aowv 1
E:\GFI\Backup 1 May 01, 2010 (03.01.42)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Packed.Win32.Krap.an 1
E:\GFI\Backup 1 May 01, 2010 (03.01.42)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Agent2.lkr 1
E:\GFI\Backup 1 May 01, 2010 (03.01.42)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.ayt 1
E:\GFI\Backup 1 May 01, 2010 (03.01.42)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.bce 1
E:\GFI\Backup 1 May 01, 2010 (03.01.42)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Inbox 2 09 to 8 09.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
E:\GFI\Backup 1 May 04, 2010 (03.01.53)\C\Documents and Settings\Paul Model\Application Data\Sun\Java\Deployment\cache\6.0\19\2cb27513-57428270 Infected: Trojan-Downloader.Java.Agent.cf 1
E:\GFI\Backup 1 May 04, 2010 (03.01.53)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Sasfis.albj 1
E:\GFI\Backup 1 May 04, 2010 (03.01.53)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Inject.aoqh 1
E:\GFI\Backup 1 May 04, 2010 (03.01.53)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Inject.aowv 1
E:\GFI\Backup 1 May 04, 2010 (03.01.53)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Packed.Win32.Krap.an 1
E:\GFI\Backup 1 May 04, 2010 (03.01.53)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Agent2.lkr 1
E:\GFI\Backup 1 May 04, 2010 (03.01.53)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.ayt 1
E:\GFI\Backup 1 May 04, 2010 (03.01.53)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.bce 1
E:\GFI\Backup 1 May 04, 2010 (03.01.53)\C\Documents and Settings\Paul Model\My Documents\Outlook Express\Inbox 2 09 to 8 09.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
E:\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.ayt 1
E:\My Documents\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.bce 1
F:\Home inbox\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.ayt 1
F:\Home inbox\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.bce 1
F:\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.ayt 1
F:\Outlook Express\Home Inbox.dbx Infected: Trojan-Spy.Win32.Goldun.bce 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\A0044981.dll Infected: Rootkit.Win32.TDSS.st 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\A0044982.dll Infected: Rootkit.Win32.TDSS.st 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\A0044983.dll Infected: Rootkit.Win32.TDSS.sw 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\A0044984.dll Infected: Backdoor.Win32.TDSS.blh 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\TDSSb570.RB0 Infected: Trojan.Win32.Patched.dw 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\TDSSc33b.RB0 Infected: Trojan.Win32.Patched.dw 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\onqhwiex.exe Infected: Trojan-Dropper.Win32.Mutant.a 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSasqu.dll Infected: Backdoor.Win32.TDSS.blh 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSbrsr.dll Infected: Rootkit.Win32.TDSS.st 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSc33b.tmp Infected: Trojan.Win32.Patched.dw 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSklfy.dll Infected: Rootkit.Win32.TDSS.dbg 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSlxwp.dll Infected: Rootkit.Win32.TDSS.st 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSmqlt.sys Infected: Backdoor.Win32.TDSS.bkw 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSnmxh.dll Infected: Rootkit.Win32.TDSS.sw 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSoiqh.dll Infected: Backdoor.Win32.TDSS.blh 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSoiqh.sys Infected: Backdoor.Win32.TDSS.bkw 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSosvd.dll Infected: Backdoor.Win32.TDSS.blh 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSrhwg.dll Infected: Rootkit.Win32.TDSS.sw 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSriqp.dll Infected: Rootkit.Win32.TDSS.sw 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSsihc.dll Infected: Rootkit.Win32.TDSS.dbg 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSwrln.dll Infected: Rootkit.Win32.TDSS.st 1
F:\Program Files\Trend Micro\Internet Security\Quarantine\TDSSxfum.dll Infected: Rootkit.Win32.TDSS.dbg 1

Selected area has been scanned.


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:23 AM

Posted 11 May 2010 - 09:09 AM

Hi,

As our general policy, I would like to warn you about Backdoor infection.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


We can still clean this machine but I can't guarantee that it will be 100% secure afterward. My recommendation is doing a reformat and reinstall your OS.



====================================


Kaspersky found infections on outlook express files. As stated HERE we can't touch those .dbx or outlook express files because it may result to corrupted outlook express. You can empty the "deleted items" folder on outlook express to delete those infections found in "Deleted Items.dbx". I also recommend to empty the "Inbox" folder of outlook express or if you can't do that you will need to carefully check each email/attachments to delete the infections.

With regards to Trend Micro quarantine files on F: drive, since you no longer use it and the drive used to be the C drive of another computer I think you can delete the entire Trend Micro folder:
F:\Program Files\Trend Micro


Please delete the following in bold:
E:\GFI\Backup 1 May 01, 2010 (03.01.42)\C\Documents and Settings\Paul Model\Application Data\Sun\Java\Deployment\cache\6.0\19\2cb27513-57428270
E:\GFI\Backup 1 May 04, 2010 (03.01.53)\C\Documents and Settings\Paul Model\Application Data\Sun\Java\Deployment\cache\6.0\19\2cb27513-57428270



====================================


1. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



2. Please run Malwarebytes Anti-Malware. Go to update tab and download all updates and then perform a full scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 Mockup

Mockup
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 11 May 2010 - 01:31 PM

Hello Sempai-

Both Combofix and Malwarebytes ran successfully; logs below.

When I tried to delete the TrendMicro folder from Program Files on the F Drive, I got the following message:

"cannot delete [LONG string of numbers]: data error (cyclic redundancy check)"

The other two files deleted fine.

I think I understand your warning about backdoors, but I'm going to go with my gut and continue the cleaning operation. This machine has been running clean and fast except for the problems decribed in this thread and a few changes to Microsoft Word Options that I have fixed. Also Kaspersky has complained to me before about email messages on other machines, and nothing ever came of it.

Combofix Log:

ComboFix 10-05-10.03 - Paul Model 05/11/2010 10:29:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.613 [GMT -4:00]
Running from: c:\documents and settings\Paul Model\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul Model\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-08 11:56 . 2010-05-08 12:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-05-07 13:59 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-07 13:09 . 2010-05-07 13:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-06 14:04 . 2010-05-06 14:04 63488 ----a-w- c:\documents and settings\Paul Model\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-06 14:04 . 2010-05-06 14:04 52224 ----a-w- c:\documents and settings\Paul Model\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-06 14:04 . 2010-05-07 13:53 117760 ----a-w- c:\documents and settings\Paul Model\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-06 14:03 . 2010-05-06 14:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-06 14:02 . 2010-05-06 14:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-06 14:02 . 2010-05-06 14:02 -------- d-----w- c:\documents and settings\Paul Model\Application Data\SUPERAntiSpyware.com
2010-05-06 14:02 . 2010-05-06 14:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-06 12:19 . 2010-05-06 12:19 -------- d-----w- c:\program files\CCleaner
2010-05-04 20:21 . 2010-05-04 20:21 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-30 19:07 . 2010-05-10 03:32 -------- d-----w- C:\$AVG8.VAULT$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 12:15 . 2009-01-16 15:04 -------- d-----w- c:\program files\LogMeIn
2010-05-08 11:57 . 2009-04-22 18:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-07 13:59 . 2008-01-14 21:43 -------- d-----w- c:\program files\Java
2010-05-04 20:28 . 2010-03-29 20:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:39 . 2010-03-29 20:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-03-29 20:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 14:52 . 2008-01-14 21:43 -------- d-----w- c:\program files\Common Files\Java
2010-03-29 20:01 . 2010-03-29 20:01 -------- d-----w- c:\documents and settings\Paul Model\Application Data\Malwarebytes
2010-03-29 20:01 . 2010-03-29 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\25377\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\25377\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\25377\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\25377\AcrobatUpdater.exe
2010-03-11 12:38 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 10:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2004-08-04 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2005-03-30 01:23 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-30 01:01 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 10:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 10:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-05-09_14.53.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-10 15:38 . 2010-05-10 15:38 16384 c:\windows\Temp\Perflib_Perfdata_640.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GFI Backup 2009 - Home Edition"="c:\progra~1\GFI\GFIBAC~1\GFIAgent.exe" [2009-10-22 1839912]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-27 2020592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2009-01-14 98304]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 823296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 12:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 15:06 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/17/2008 2:52 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/17/2008 2:52 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 61440]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/24/2009 8:59 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/17/2008 2:52 PM 297752]
R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\GFI\GFIBAC~1\GFIHInst.exe [10/27/2009 11:23 AM 440616]
R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\GFI\GFIBAC~1\GFIHSC~1.EXE [10/27/2009 11:23 AM 1410856]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 7:46 PM 12856]
.
Contents of the 'Scheduled Tasks' folder

2010-05-10 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-11 10:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-05-11 10:42:49
ComboFix-quarantined-files.txt 2010-05-11 14:42
ComboFix2.txt 2010-05-09 14:55

Pre-Run: 53,289,660,416 bytes free
Post-Run: 53,425,872,896 bytes free

- - End Of File - - 930CA8788508FFAE51DD218FA4FD52FD


Malwarebytes Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4090

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/11/2010 2:17:10 PM
mbam-log-2010-05-11 (14-17-10).txt

Scan type: Full scan (C:\|E:\|F:\|)
Objects scanned: 418542
Time elapsed: 3 hour(s), 16 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:23 AM

Posted 12 May 2010 - 04:50 AM

Hi,

Let's delete those files using a script.


We need to execute an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Paste the following code under the area. Do not include the word "Code".

    CODE
    :Files
    F:\Program Files\Trend Micro

    :Commands
    [emptytemp]
    [Reboot]

  4. Push the large button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 Mockup

Mockup
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 12 May 2010 - 08:14 AM

Hello Sempai-

While OTM was running I got the following message:

"Error Deleting File or Folder

Cannot delete Df2: Data Error (cyclic redundancy check)"

I clicked OK on the error box and OTM asked me if I wanted to reboot. I clicked yes and on reboot OTM ran with a blue screen for a while. After rebooting I looked on the F drive and TrendMicro was still in Program Files.

Maybe this is a hardware problem with the F Drive?

Regards,

Mockup

OTM log:

All processes killed
========== FILES ==========
F:\Program Files\Trend Micro\Internet Security\TmpxTmp folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Temp folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Task folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\SpyBackup folder moved successfully.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\Service scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\report scheduled to be moved on reboot.
F:\Program Files\Trend Micro\Internet Security\Quarantine\Temp folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Quarantine\Backup folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Quarantine folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Profile folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\plugins\taskmgr_4_1_-1_-1_-1_5.1.1128 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\plugins\security_16_1_-1_-1_-1_5.1.1128 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\plugins\report_27_1_-1_-1_-1_5.1.1128 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\plugins\patch_26_1_-1_-1_-1_5.1.1128 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\plugins\merge_6_1_-1_-1_-1_5.1.1128\libs folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\plugins\merge_6_1_-1_-1_-1_5.1.1128 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\plugins\dlmgr_3_1_-1_-1_-1_5.1.1128 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\plugins\detect_18_1_-1_-1_-1_5.1.1128 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\plugins\channel_1_1_-1_-1_-1_5.1.1128 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\plugins\cachemgr_111_1_-1_-1_-1_5.1.1128 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\plugins folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\OEM\Aegis folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\OEM folder moved successfully.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\Log scheduled to be moved on reboot.
F:\Program Files\Trend Micro\Internet Security\iaulogs folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\iaudata\_visidir folder moved successfully.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\iaudata\_filedir scheduled to be moved on reboot.
F:\Program Files\Trend Micro\Internet Security\iaudata\_aucache folder moved successfully.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\iaudata scheduled to be moved on reboot.
F:\Program Files\Trend Micro\Internet Security\debug folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Resource folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x48001000 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x48000800 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x41000000 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x40800000 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x40000020 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x40000010 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x20000400 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x20000040 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x20000020(2) folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x20000020 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x20000001 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x00100000(2) folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x00100000 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x00080000(2) folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x00080000 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x00000800 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x00000004(2) folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern\0x00000004 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Pattern folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Patch\225 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Patch\224 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Patch\223 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Patch folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Function\220 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Function\218 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Function\217 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Function\216 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Function\215 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Function\213 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Function\211 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Function\210 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Function\209 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Function folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Framework folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Engine\0x28100000 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Engine\0x28088000 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Engine\0x24800000 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Engine\0x22000080\OEM\NonAUPtn folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Engine\0x22000080\OEM folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Engine\0x22000080 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Engine\0x22000040 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Engine\0x22000010 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Engine\0x21080000 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Engine\0x21000800 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Engine\0x00000010 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Engine\0x00000004 folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Engine folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component\Enforce folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\Component folder moved successfully.
F:\Program Files\Trend Micro\Internet Security\aucache folder moved successfully.
Folder move failed. F:\Program Files\Trend Micro\Internet Security scheduled to be moved on reboot.
F:\Program Files\Trend Micro\BM\update folder moved successfully.
F:\Program Files\Trend Micro\BM\Profiles folder moved successfully.
F:\Program Files\Trend Micro\BM\Patterns folder moved successfully.
F:\Program Files\Trend Micro\BM\log folder moved successfully.
F:\Program Files\Trend Micro\BM\cache folder moved successfully.
F:\Program Files\Trend Micro\BM folder moved successfully.
Folder move failed. F:\Program Files\Trend Micro scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Paul Model
->Temp folder emptied: 196557 bytes
->Temporary Internet Files folder emptied: 45671173 bytes
->Java cache emptied: 128094 bytes
->Flash cache emptied: 6667 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 107090222 bytes

Total Files Cleaned = 146.00 mb


OTM by OldTimer - Version 3.1.12.0 log created on 05122010_085351

Files moved on Reboot...
File F:\Program Files\Trend Micro\Internet Security\Service not found!
Folder move failed. F:\Program Files\Trend Micro\Internet Security\report scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\Log scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\iaudata\_filedir scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\iaudata\_filedir scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\iaudata scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\Service scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\report scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\Log scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\iaudata\_filedir scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\iaudata scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\Service scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\report scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\Log scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\iaudata\_filedir scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security\iaudata scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro\Internet Security scheduled to be moved on reboot.
Folder move failed. F:\Program Files\Trend Micro scheduled to be moved on reboot.
File C:\Documents and Settings\Paul Model\Local Settings\Temp\~DF26C5.tmp not found!
File C:\Documents and Settings\Paul Model\Local Settings\Temp\~DF26D2.tmp not found!
C:\Documents and Settings\Paul Model\Local Settings\Temporary Internet Files\Content.IE5\W5EVIKUM\iframe[1].htm moved successfully.
C:\Documents and Settings\Paul Model\Local Settings\Temporary Internet Files\Content.IE5\KX2P1Q9J\topic315310[1].htm moved successfully.
C:\Documents and Settings\Paul Model\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...




#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:23 AM

Posted 12 May 2010 - 08:20 AM

How about the contents of the quarantine folder inside the trend micro folder? Is it empty?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 Mockup

Mockup
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 12 May 2010 - 08:32 AM

The Quarantine folder is gone (I looked in Trendmicro\Internet Security, which is where the Kaspersky log said it was).

Regards,

Mockup




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users