Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus or malware not sure which


  • This topic is locked This topic is locked
15 replies to this topic

#1 kanifala

kanifala

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 17 June 2010 - 07:12 AM

Yesterday I had the small red windows security shield in taskbar saying I was infected. When clicked on it opened up a bogus antivirus program-think it was called A V. I restarted and ran verizon internet security ie McAfee and ran a scan. It found that C:\Windows\system32\winlogn.exe had a problem. A few spaces after the file name it showed "Spy-Agent.bw.gen!mem" "10". Mcafee didn't give me the option of quarantining or cleaning the file. I switched back to trend micro pc-illin which came with my dell xps which i bought in 2008. It found a different infected file that i deleted. I did a system restore to last week and noticed afterwards I have ie 6 and my computer came with 7, very odd. I also can't access windows update site keeps saying ie cannot display this page, but i can get to other sites fine. I also downloaded iobit advanced system care which found a lot of problems with the registry. I repaired the problems but kept noticing weird things kept happening, like ie keeps locking up, ecountering errors, tried clicking on search in start folder and nothing happened. I did a few more scans with iobit and it keeps finding problems with the registry and spyware. It seems that all these programs can't keep up with the hackers. I've tried posting this twice but each time it gives me iexplorer cannot display this page. I'm thinking there might be a dns problem. So I'm going to try posting this from my work computer. I really hope you guys can help.


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Evan at 20:05:26.20 on Wed 06/16/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1550 [GMT -4:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Evan.D11MJQH1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2081118
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = https://activatemydsl.verizon.net/SmartAcce...install_lang=en
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.1852\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
uRun: [NVIDIA nTune] c:\program files\nvidia corporation\ntune\nTuneCmd.exe resetprofile
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SightSpeed] "c:\program files\dell video chat\DellVideoChat.exe" -bootmode
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Online Backup Auto Update] "c:\program files\verizon\online backup & sharing\auto update\OnlineBackup.UpdateSystemTray.exe"
mRun: [Vault Explorer Cache Watcher] c:\program files\verizon\online backup & sharing\vewatch.exe
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1276656810093
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1276656270593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-6-15 335376]
S2 FilesystemWatcher;Filesystem Watcher;c:\program files\verizon\online backup & sharing\filesystem watcher\DigiData.FilesystemWatcher.Service.Watcher.exe [2010-2-2 24576]
S2 OnlineBackupSchedulerService;Online Backup Scheduler;c:\program files\verizon\online backup & sharing\scheduler\OnlineBackup.SchedulerService.exe [2010-2-10 20480]
S2 ServicepointService;ServicepointService;c:\program files\verizon\vsp\ServicepointService.exe [2010-6-15 668912]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-6-15 50192]
S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-6-15 36368]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-11-18 30192]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2010-6-15 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-6-15 648456]

=============== Created Last 30 ================

2010-06-16 23:07:52 0 ----a-w- c:\documents and settings\evan.d11mjqh1\defogger_reenable
2010-06-16 03:46:55 0 d-----w- c:\docume~1\evan~1.d11\applic~1\Verizon
2010-06-16 03:46:46 0 d-----w- c:\windows\bin
2010-06-16 03:46:00 0 d-----w- c:\docume~1\evan~1.d11\applic~1\DigiData
2010-06-16 03:45:29 0 d-----w- c:\program files\Verizon Online Backup
2010-06-16 03:22:47 0 d-----w- c:\program files\common files\Motive
2010-06-16 03:21:48 0 d-----w- c:\docume~1\evan~1.d11\applic~1\verizon_broad
2010-06-16 02:54:41 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-06-16 01:18:17 0 d-s---w- c:\documents and settings\evan.d11mjqh1\UserData
2010-06-16 01:08:58 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-06-16 01:08:58 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-06-16 01:08:58 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-16 01:08:58 0 d-----w- c:\windows\system32\log
2010-06-16 01:08:23 0 d-----w- c:\program files\Trend Micro
2010-06-16 01:07:59 656648 ----a-w- c:\windows\system32\UfWSC.cpl
2010-06-16 01:07:57 335376 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2010-06-16 01:07:57 1322680 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-06-16 01:07:56 66320 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-06-16 01:07:56 230928 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-06-16 01:07:55 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-06-16 01:04:39 0 d-----w- c:\program files\IObit
2010-06-16 00:57:59 0 d-----w- c:\docume~1\evan~1.d11\applic~1\IObit
2010-06-16 00:18:12 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 22:55:34 0 d-----w- c:\program files\Log
2010-06-15 22:33:22 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-15 22:32:53 0 d-----w- c:\windows\system32\FxsTmp
2010-06-15 22:11:40 8212 ----a-w- c:\windows\mfebcdata
2010-06-15 20:20:27 0 d-----w- c:\windows\system32\lowsec
2010-06-14 11:24:47 190 --s-a-w- c:\windows\system32\2976130723.dat
2010-06-14 11:03:31 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-06-10 10:41:59 0 d-----w- c:\program files\Internet Content Filter
2010-06-10 10:41:35 10401 ----a-w- c:\windows\system32\Config.MPF
2010-06-10 10:38:42 0 d-----w- c:\program files\McAfee(2).com
2010-06-10 10:38:36 0 d-----w- c:\program files\McAfee(2)
2010-06-09 02:36:04 0 d-----w- c:\windows\ie8updates
2010-06-09 02:35:31 0 dc----w- c:\windows\ie8
2010-06-09 02:21:59 0 d-----w- c:\windows\system32\GroupPolicy
2010-06-09 02:21:59 0 d-----w- c:\program files\Windows Desktop Search
2010-06-09 02:21:35 0 d-----w- c:\program files\Windows Media Connect 2
2010-06-09 01:45:50 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-06-09 01:45:50 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-06-09 01:45:50 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-06-09 01:45:50 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-06-08 23:35:56 0 d-----w- c:\program files\common files\McAfee
2010-06-08 22:27:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Radialpoint
2010-06-08 22:27:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Verizon
2010-06-08 22:26:20 0 d-----w- c:\docume~1\alluse~1\applic~1\DigiData
2010-06-06 17:08:21 0 d-----w- c:\program files\Verizon Broadband Firefox Toolbar
2010-06-06 17:08:18 0 d-----w- c:\program files\verizon_broad
2010-06-06 17:08:18 0 d-----w- c:\program files\Verizon
2010-06-06 17:07:22 0 d-----w- c:\program files\Kodak
2010-06-06 17:04:29 8192 ----a-w- c:\windows\REGLOCS.OLD
2010-06-06 17:04:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys

==================== Find3M ====================

2009-08-12 23:41:40 724 ----a-w- c:\program files\TisEzIns.ini

============= FINISH: 20:05:48.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:03:53 PM

Posted 22 June 2010 - 07:30 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

PW

#3 kanifala

kanifala
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 23 June 2010 - 07:01 AM

Here is my new dds log and the new attachments. I canít post a reply from my home computer, it keeps telling me that internet exp. Cannot display webpage, so I have to do this from my work computer. I saved the gmer log as gmer2 instead of ark.txt



DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Evan at 17:05:27.42 on Tue 06/22/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1786 [GMT -4:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Evan.D11MJQH1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2081118
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = https://activatemydsl.verizon.net/SmartAcce...install_lang=en
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.1852\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
uRun: [NVIDIA nTune] c:\program files\nvidia corporation\ntune\nTuneCmd.exe resetprofile
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SightSpeed] "c:\program files\dell video chat\DellVideoChat.exe" -bootmode
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Online Backup Auto Update] "c:\program files\verizon\online backup & sharing\auto update\OnlineBackup.UpdateSystemTray.exe"
mRun: [Vault Explorer Cache Watcher] c:\program files\verizon\online backup & sharing\vewatch.exe
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1276656810093
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1276656270593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-6-15 335376]
S2 FilesystemWatcher;Filesystem Watcher;c:\program files\verizon\online backup & sharing\filesystem watcher\DigiData.FilesystemWatcher.Service.Watcher.exe [2010-2-2 24576]
S2 OnlineBackupSchedulerService;Online Backup Scheduler;c:\program files\verizon\online backup & sharing\scheduler\OnlineBackup.SchedulerService.exe [2010-2-10 20480]
S2 ServicepointService;ServicepointService;c:\program files\verizon\vsp\ServicepointService.exe [2010-6-15 668912]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-6-15 50192]
S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-6-15 36368]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-11-18 30192]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2010-6-15 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-6-15 648456]

=============== Created Last 30 ================

2010-06-17 01:49:11 754 ----a-w- c:\windows\WORDPAD.INI
2010-06-16 23:07:52 0 ----a-w- c:\documents and settings\evan.d11mjqh1\defogger_reenable
2010-06-16 03:46:55 0 d-----w- c:\docume~1\evan~1.d11\applic~1\Verizon
2010-06-16 03:46:46 0 d-----w- c:\windows\bin
2010-06-16 03:46:00 0 d-----w- c:\docume~1\evan~1.d11\applic~1\DigiData
2010-06-16 03:45:29 0 d-----w- c:\program files\Verizon Online Backup
2010-06-16 03:22:47 0 d-----w- c:\program files\common files\Motive
2010-06-16 03:21:48 0 d-----w- c:\docume~1\evan~1.d11\applic~1\verizon_broad
2010-06-16 02:54:41 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-06-16 01:18:17 0 d-s---w- c:\documents and settings\evan.d11mjqh1\UserData
2010-06-16 01:08:58 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-06-16 01:08:58 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-06-16 01:08:58 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-16 01:08:58 0 d-----w- c:\windows\system32\log
2010-06-16 01:08:23 0 d-----w- c:\program files\Trend Micro
2010-06-16 01:07:59 656648 ----a-w- c:\windows\system32\UfWSC.cpl
2010-06-16 01:07:57 335376 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2010-06-16 01:07:57 1322680 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-06-16 01:07:56 66320 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-06-16 01:07:56 230928 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-06-16 01:07:55 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-06-16 01:04:39 0 d-----w- c:\program files\IObit
2010-06-16 00:57:59 0 d-----w- c:\docume~1\evan~1.d11\applic~1\IObit
2010-06-16 00:18:12 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 22:55:34 0 d-----w- c:\program files\Log
2010-06-15 22:33:22 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-15 22:32:53 0 d-----w- c:\windows\system32\FxsTmp
2010-06-15 22:11:40 8212 ----a-w- c:\windows\mfebcdata
2010-06-15 20:20:27 0 d-----w- c:\windows\system32\lowsec
2010-06-14 11:24:47 190 --s-a-w- c:\windows\system32\2976130723.dat
2010-06-14 11:03:31 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-06-10 10:41:59 0 d-----w- c:\program files\Internet Content Filter
2010-06-10 10:41:35 10401 ----a-w- c:\windows\system32\Config.MPF
2010-06-10 10:38:42 0 d-----w- c:\program files\McAfee(2).com
2010-06-10 10:38:36 0 d-----w- c:\program files\McAfee(2)
2010-06-09 02:36:04 0 d-----w- c:\windows\ie8updates
2010-06-09 02:35:31 0 dc----w- c:\windows\ie8
2010-06-09 02:21:59 0 d-----w- c:\windows\system32\GroupPolicy
2010-06-09 02:21:59 0 d-----w- c:\program files\Windows Desktop Search
2010-06-09 02:21:35 0 d-----w- c:\program files\Windows Media Connect 2
2010-06-09 01:45:50 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-06-09 01:45:50 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-06-09 01:45:50 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-06-09 01:45:50 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-06-08 23:35:56 0 d-----w- c:\program files\common files\McAfee
2010-06-08 22:27:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Radialpoint
2010-06-08 22:27:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Verizon
2010-06-08 22:26:20 0 d-----w- c:\docume~1\alluse~1\applic~1\DigiData
2010-06-06 17:08:21 0 d-----w- c:\program files\Verizon Broadband Firefox Toolbar
2010-06-06 17:08:18 0 d-----w- c:\program files\verizon_broad
2010-06-06 17:08:18 0 d-----w- c:\program files\Verizon
2010-06-06 17:07:22 0 d-----w- c:\program files\Kodak
2010-06-06 17:04:29 8192 ----a-w- c:\windows\REGLOCS.OLD
2010-06-06 17:04:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys

==================== Find3M ====================

2009-08-12 23:41:40 724 ----a-w- c:\program files\TisEzIns.ini

============= FINISH: 17:05:50.32 ===============

Attached Files


Edited by kanifala, 23 June 2010 - 07:41 AM.


#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 23 June 2010 - 08:52 AM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

Did you purposely install Go To Assist??

==========

If you can't access the internet on the sick computer you can use a flash drive to transfer these apps to the sick computer from a clean computer.

You must 1st immunize your flash drive so you do not infected the clean computer.

Please download Flash_Disinfector.exe by sUBs and save it to the desktop of your clean computer.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Your flash drive is now protected!!

=========

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

QUOTE
To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.


=========

RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
  • It shall produce a log located at C:\RKill. Please copy and paste it into your next reply.

==========

1. Download the file TDSSKiller.zip and extract it to your desktop.
2. Click start->run->copy-paste "%userprofile%\desktop\TDSSKiller.exe" -l report.txt -v into the textbox and press enter.
3. report.txt should be generated into same location with TDSSKiller.exe. Post contents of that report, please.

==========


  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.


    Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All

  4. Copy and Paste the following code into the textbox. Do not include the word "Code"


    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    ftdisk.sys
    nvgts.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    CREATERESTOREPOINT

  5. Push
  6. A report will open. Copy and Paste that report in your next reply.
  7. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

==========

Re-run Gmer and post a log

==========

With your next post please provide:

* Did you install Go To Assist?
* TDSSKiller log
* OTL.txt
* Extra.txt
* Gmer log
* What problems persist?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 kanifala

kanifala
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 24 June 2010 - 07:49 AM

Hi, I didn't install Go To Assist. I think it came with the computer, though I'm not sure. After running the Defogger program was I supposed to reenable the cd driver? I wasn't sure because you had the instructions on how to reenable them. After running the OTL program it didn't give me an OTLlistit.txt it just gave me OTL.txt. Also after running these programs I could not get Gmer to finish a complete scan. It would go for a while and then slow down a lot and if i tried doing anything else on the computer it would completely lock up. I tried this at least 4 times. It did get some info that i wrote down. I'll paste that info below this. Hopefully you can use that. Again I have to reply to you from my work computer because I can't post from home without an error even though I can get onto the internet, I get blocked from certain sites like microsoft updates and when i try to post on your site. Thanks for all your help


Gmer info
TYPE NAME VALUE

SSDT 8872DC80 ZwCreateProcess
SSDT 8872D180 ZwCreateProcessEx
SSDT 8872D440 ZwOpenProcess
SSDT 8872EAE0 ZwTerminateProcess
SSDT 8872E200 ZwCreateKey
SSDT 8872E4C0 ZwSetValueKey
SSDT 8872EC80 ZwDeleteKey
SSDT 8872D700 ZwDeleteValueKey
SSDT 8872DF40 ZwWriteVirtualMemory
SSDT 8872D9C0 ZwCreateThread
SSDT 8872E940 ZwLoadDriver

.text ntkrnlpa.exe!ZwCallbackReturn+2C98 80504524 4BytesJMP 66228872
.text ntkrnlpa.exe!ZwCallbackReturn+3018 805048A4 4BytesJMP CB28D11B
.text C:\Windows\system32\Drivers\atimtag.sys section is writeable [0xB942D000, 0x1A008E, 0xE8000020]

AttachedD \Driver\Tcpip\Device\Ip tmtdi.sys[TrendMicroTDI Driver(i386-fre)/TrendMicro Inc.]
AttachedD \Driver\Tcpip\Device\Tcp tmtdi.sys[TrendMicroTDI Driver(i386-fre)/TrendMicro Inc.]
AttachedD \Driver\Tcpip\Device\Udp tmtdi.sys[TrendMicroTDI Driver(i386-fre)/TrendMicro Inc.]
AttachedD \Driver\Tcpip\Device\Rawlp tmtdi.sys[TrendMicroTDI Driver(i386-fre)/TrendMicro Inc.]

Device \FileSystem\Fastfat\fat 9C128D20
AttachedD \FileSystem\Fastfat\fat fltMgr.sys[MicrosoftFilesystemFilterManager/Microsoft Corp

Attached Files



#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 24 June 2010 - 08:27 AM

Hi, smile.gif

Please copy and paste all logs! Do not attach unless I specifically request you to do so.

==========

QUOTE
After running the Defogger program was I supposed to reenable the cd driver?

Not until were finished

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 kanifala

kanifala
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 24 June 2010 - 08:32 AM

Okay I will have to wait until I get home later today to do this. Do you want me to paste the combofix.txt in the message area or do you want it as an attachment? Also is it possible to do all of this in safe mode?

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 24 June 2010 - 09:16 AM

Hi there,

Just as a reminder...

Please take your time and read my instructions very carefully. If you run into troubles or have a question please STOP and tell me about it.

==========

QUOTE
Okay I will have to wait until I get home later today to do this.

Ok thumbup2.gif

==========

QUOTE
Do you want me to paste the combofix.txt in the message area

Yes. Do this with all the logs. Do not attach the log unless I specifically request you to do so.

==========

QUOTE
Also is it possible to do all of this in safe mode?

Try it in normal mode 1st. Read the directions very carefully. If you can not do it in normal mode then try it like this.........

Reboot into Safe Mode with Networking.
  • This can be done tapping the F8 key as soon as you start your computer.
  • You will be brought to a menu where you can choose to boot into safe mode.
  • Make sure you choose the option with networking support.
  • Please see here for additional details.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!

==========
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

If that fails then tell me about it and I will guide you.

==========

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 kanifala

kanifala
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 25 June 2010 - 05:43 AM

Okay here is the combofix log


ComboFix 10-06-23.05 - Evan 06/24/2010 18:22:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1326 [GMT -4:00]
Running from: c:\documents and settings\Evan.D11MJQH1\Desktop\thcbytes.exe
AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\2976130723.dat
c:\windows\system32\lowsec

.
((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))
.

2010-06-24 01:54 . 2010-04-20 05:30 285696 -c----w- c:\windows\system32\dllcache\atmfd.dll
2010-06-24 01:53 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-24 01:53 . 2009-12-08 09:23 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2010-06-24 01:53 . 2009-08-26 08:00 247326 -c----w- c:\windows\system32\dllcache\strmdll.dll
2010-06-24 01:53 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-06-24 01:53 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-06-24 01:53 . 2009-11-27 16:07 28672 -c----w- c:\windows\system32\dllcache\msvidc32.dll
2010-06-24 01:53 . 2009-11-27 16:07 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2010-06-24 01:53 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-06-24 01:53 . 2009-11-27 16:07 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2010-06-24 01:53 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2010-06-16 03:46 . 2010-06-16 03:46 -------- d-----w- c:\documents and settings\Evan.D11MJQH1\Application Data\Verizon
2010-06-16 03:46 . 2010-06-16 03:46 -------- d-----w- c:\windows\bin
2010-06-16 03:46 . 2010-06-16 03:46 -------- d-----w- c:\documents and settings\Evan.D11MJQH1\Application Data\DigiData
2010-06-16 03:45 . 2010-06-16 03:45 -------- d-----w- c:\program files\Verizon Online Backup
2010-06-16 03:22 . 2010-06-16 03:22 -------- d-----w- c:\program files\Common Files\Motive
2010-06-16 03:21 . 2010-06-16 03:50 -------- d-----w- c:\documents and settings\Evan.D11MJQH1\Application Data\verizon_broad
2010-06-16 02:54 . 2009-08-06 23:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-06-16 01:18 . 2010-06-16 01:18 -------- d-s---w- c:\documents and settings\Evan.D11MJQH1\UserData
2010-06-16 01:08 . 2010-06-16 01:08 -------- d-----w- c:\windows\system32\log
2010-06-16 01:08 . 2010-06-16 01:07 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-06-16 01:08 . 2010-06-16 01:07 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-06-16 01:08 . 2010-06-16 01:07 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-16 01:08 . 2010-06-16 01:08 -------- d-----w- c:\program files\Trend Micro
2010-06-16 01:07 . 2010-06-16 01:07 335376 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2010-06-16 01:07 . 2009-12-04 20:05 1322680 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-06-16 01:07 . 2010-06-16 01:07 66320 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-06-16 01:07 . 2009-12-04 20:39 230928 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-06-16 01:07 . 2009-12-04 20:38 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-06-16 01:04 . 2010-06-16 01:04 -------- d-----w- c:\program files\IObit
2010-06-16 00:57 . 2010-06-16 01:04 -------- d-----w- c:\documents and settings\Evan.D11MJQH1\Application Data\IObit
2010-06-16 00:54 . 2010-06-16 00:54 -------- d-----w- c:\documents and settings\Evan.D11MJQH1\Application Data\Roxio
2010-06-16 00:18 . 2010-06-22 22:11 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-16 00:12 . 2010-06-16 00:12 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-15 22:55 . 2010-06-15 22:55 -------- d-----w- c:\program files\Log
2010-06-15 22:45 . 2010-06-16 03:50 -------- d-----w- c:\documents and settings\Evan.D11MJQH1\Local Settings\Application Data\SupportSoft
2010-06-15 22:44 . 2010-06-15 22:44 -------- d-----w- c:\documents and settings\Evan.D11MJQH1\Application Data\CyberLink
2010-06-15 22:33 . 2010-06-15 22:33 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-15 22:32 . 2010-06-15 22:32 -------- d-----w- c:\windows\system32\FxsTmp
2010-06-14 22:29 . 2010-06-14 22:29 -------- d-----w- c:\documents and settings\Katie.D11MJQH1\Application Data\Motive
2010-06-14 22:25 . 2010-06-14 22:25 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2010-06-14 22:11 . 2010-06-14 22:11 -------- d-----w- c:\documents and settings\Katie.D11MJQH1\Local Settings\Application Data\SupportSoft
2010-06-13 01:04 . 2010-06-15 22:29 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-10 20:39 . 2010-06-10 20:39 -------- d-----w- c:\documents and settings\Katie.D11MJQH1\IECompatCache
2010-06-10 19:59 . 2010-06-10 19:59 -------- d-----w- c:\documents and settings\Katie.D11MJQH1\PrivacIE
2010-06-10 19:59 . 2010-06-10 19:59 -------- d-----w- c:\documents and settings\Katie.D11MJQH1\Local Settings\Application Data\Identities
2010-06-10 19:58 . 2010-06-10 19:58 -------- d-----w- c:\documents and settings\Katie.D11MJQH1\Application Data\Verizon
2010-06-10 19:57 . 2010-06-15 22:30 -------- d-----w- c:\documents and settings\Katie.D11MJQH1\Application Data\VERIZON_BROAD
2010-06-10 19:57 . 2010-06-10 19:57 -------- d-----w- c:\documents and settings\Katie.D11MJQH1\IETldCache
2010-06-10 11:08 . 2010-06-10 11:08 -------- d-----w- c:\documents and settings\Evan\IECompatCache
2010-06-10 10:41 . 2010-06-15 22:30 -------- d-----w- c:\program files\Internet Content Filter
2010-06-10 10:38 . 2010-06-15 22:30 -------- d-----w- c:\program files\McAfee(2).com
2010-06-10 10:38 . 2010-06-15 22:30 -------- d-----w- c:\program files\McAfee(2)
2010-06-09 02:47 . 2010-06-09 02:47 -------- d-----w- c:\documents and settings\Evan\PrivacIE
2010-06-09 02:45 . 2010-06-09 02:45 -------- d-----w- c:\documents and settings\LocalService\IETldCache
2010-06-09 02:43 . 2010-06-09 02:43 -------- d-----w- c:\documents and settings\Evan\IETldCache
2010-06-09 02:36 . 2010-06-11 21:11 -------- d-----w- c:\windows\ie8updates
2010-06-09 02:35 . 2010-06-15 22:31 -------- dc----w- c:\windows\ie8
2010-06-09 02:22 . 2010-06-09 02:22 -------- d-----w- c:\documents and settings\Evan\Local Settings\Application Data\Identities
2010-06-09 02:21 . 2010-06-15 22:32 -------- d-----w- c:\program files\Windows Desktop Search
2010-06-09 02:21 . 2010-06-09 02:21 -------- d-----w- c:\windows\system32\GroupPolicy
2010-06-09 02:21 . 2010-06-15 22:32 -------- d-----w- c:\program files\Windows Media Connect 2
2010-06-09 02:21 . 2010-06-15 22:32 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-06-09 01:44 . 2010-06-15 22:32 -------- d-----w- c:\documents and settings\Evan\UserData
2010-06-09 00:38 . 2010-06-09 00:38 -------- d-----w- c:\documents and settings\Evan\Local Settings\Application Data\Citrix
2010-06-08 23:35 . 2010-06-15 22:32 -------- d-----w- c:\program files\Common Files\McAfee
2010-06-08 22:27 . 2010-06-08 22:27 -------- d-----w- c:\documents and settings\Evan\Application Data\Verizon
2010-06-08 22:27 . 2010-06-16 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Radialpoint
2010-06-08 22:27 . 2010-06-08 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon
2010-06-08 22:26 . 2010-06-08 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\DigiData
2010-06-08 22:05 . 2010-06-08 22:05 -------- d-----w- c:\documents and settings\Evan\Application Data\Motive
2010-06-08 22:02 . 2010-06-08 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2010-06-08 22:01 . 2010-06-15 22:32 -------- d-----w- c:\documents and settings\Evan\Application Data\VERIZON_BROAD
2010-06-07 11:34 . 2010-06-10 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-06 18:56 . 2010-06-06 18:56 -------- d-----w- c:\documents and settings\Evan\Application Data\Roxio
2010-06-06 17:32 . 2010-06-15 22:32 -------- d-----w- c:\documents and settings\Evan\Local Settings\Application Data\SupportSoft
2010-06-06 17:20 . 2010-06-06 17:20 137 ----a-w- c:\documents and settings\Katie.D11MJQH1\Local Settings\Application Data\fusioncache.dat
2010-06-06 17:20 . 2008-11-18 19:42 33416 ----a-w- c:\documents and settings\Katie.D11MJQH1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-06 17:08 . 2010-06-15 22:33 -------- d-----w- c:\program files\Verizon Broadband Firefox Toolbar
2010-06-06 17:08 . 2010-06-16 03:50 -------- d-----w- c:\program files\Verizon
2010-06-06 17:08 . 2010-06-16 03:21 -------- d-----w- c:\program files\verizon_broad
2010-06-06 17:07 . 2010-06-15 22:33 -------- d-----w- c:\program files\Kodak
2010-06-06 17:04 . 2008-04-14 05:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-06-06 17:03 . 2010-06-15 22:33 -------- d-----w- c:\documents and settings\em-Katie\My Pictures
2010-06-06 17:03 . 2010-06-15 22:33 -------- d-----w- c:\documents and settings\em-Katie\My Print Creations
2010-06-06 17:03 . 2010-06-15 22:33 -------- d-----w- c:\documents and settings\em-Katie\PCStitch Pro Patterns
2010-06-06 17:03 . 2010-06-15 22:33 -------- d-----w- c:\documents and settings\em-Katie
2010-06-06 17:03 . 2010-06-15 22:33 -------- d-----w- c:\documents and settings\em-evan\My Digital Editions
2010-06-06 17:03 . 2010-06-06 17:03 -------- d-----w- c:\documents and settings\em-evan\WDC
2010-06-06 17:03 . 2010-06-06 17:03 -------- d-----w- c:\documents and settings\em-evan\My Kindle Content
2010-06-06 17:03 . 2010-06-06 17:03 -------- d-----w- c:\documents and settings\em-evan\My Google Gadgets
2010-06-06 17:03 . 2010-06-06 17:03 -------- d-----w- c:\documents and settings\em-evan\03-02-2010
2010-06-06 17:03 . 2010-06-06 17:03 -------- d-----w- c:\documents and settings\em-evan\my songs
2010-06-06 17:02 . 2010-06-15 22:33 -------- d-----w- c:\documents and settings\em-evan\My Videos
2010-06-06 17:02 . 2010-06-15 22:33 -------- d-----w- c:\documents and settings\em-evan\My Pictures
2010-06-06 17:02 . 2010-06-15 22:33 -------- d-----w- c:\documents and settings\em-evan\My Music
2010-06-06 17:02 . 2010-06-15 22:33 -------- d-----w- c:\documents and settings\em-evan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 23:21 . 2001-08-17 13:52 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-06-16 03:18 . 2010-06-24 11:14 220134 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-06-16 01:08 . 2008-11-18 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2010-06-15 22:43 . 2010-06-15 22:42 136 ----a-w- c:\documents and settings\Evan.D11MJQH1\Local Settings\Application Data\fusioncache.dat
2010-06-15 22:30 . 2008-11-18 19:29 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-15 22:29 . 2008-11-18 19:35 -------- d-----w- c:\program files\Microsoft Works
2010-06-11 11:39 . 2008-11-18 19:30 -------- d-----w- c:\program files\Google
2010-06-10 10:41 . 2008-11-18 19:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-06 17:36 . 2010-06-06 17:35 127 ----a-w- c:\documents and settings\Evan\Local Settings\Application Data\fusioncache.dat
2010-04-20 05:30 . 2008-04-25 16:16 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-08-12 23:41 . 2009-08-12 23:41 724 ----a-w- c:\program files\TisEzIns.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-15 106496]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-18 39408]
"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-08-15 4812664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-15 16855552]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-19 203296]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-24 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2008-10-03 1742064]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-06-16 1398024]
"Online Backup Auto Update"="c:\program files\Verizon\Online Backup & Sharing\Auto Update\OnlineBackup.UpdateSystemTray.exe" [2010-02-10 233472]
"Vault Explorer Cache Watcher"="c:\program files\Verizon\Online Backup & Sharing\vewatch.exe" [2010-02-10 28672]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-11-18 4269296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-18 19:36 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Verizon\\VSP\\ServicepointService.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=

R2 FilesystemWatcher;Filesystem Watcher;c:\program files\Verizon\Online Backup & Sharing\Filesystem Watcher\DigiData.FilesystemWatcher.Service.Watcher.exe [2/2/2010 8:02 PM 24576]
R2 OnlineBackupSchedulerService;Online Backup Scheduler;c:\program files\Verizon\Online Backup & Sharing\Scheduler\OnlineBackup.SchedulerService.exe [2/10/2010 7:11 PM 20480]
R2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [6/15/2010 11:46 PM 668912]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [6/15/2010 9:08 PM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [6/15/2010 9:07 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [6/15/2010 9:07 PM 335376]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [6/15/2010 9:09 PM 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [6/15/2010 9:09 PM 648456]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/18/2008 3:33 PM 30192]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = https://activatemydsl.verizon.net/SmartAcce...install_lang=en
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-24 18:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2392)
c:\program files\Verizon\Online Backup & Sharing\DigiData.Vault.VaultExplorer.dll
c:\program files\Verizon\Online Backup & Sharing\LogicNP.EZNamespaceExtensions.dll
c:\windows\assembly\GAC_MSIL\DigiData.Vault.Adapter\1.0.8.0__9020972b7d9d3317\DigiData.Vault.Adapter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Verizon\VSP\VerizonServicepointComHandler.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-06-24 18:27:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-24 22:27

Pre-Run: 472,534,147,072 bytes free
Post-Run: 472,972,132,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 03A838FF5AB7BDC1CA11A014F5062BE6


#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 25 June 2010 - 06:26 AM

Well done thumbup2.gif

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

==========

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

=========

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

===========

With your next post please provide:

* MBAM log
* ESET log
* What problems persist?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 kanifala

kanifala
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 25 June 2010 - 03:57 PM

I'm downloadingjdk-6u20-win but I didn't see anything for required files for offline installation. I just clicked the download button and started saving it to my desktop. Is this a problem? Also, trend micro keeps displaying that tdsskiller.exe is a problem. Can I delete all the programs you had me run, combofix,gmer... or should I hold on to them

Edited by kanifala, 25 June 2010 - 04:13 PM.


#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 25 June 2010 - 05:49 PM

Hi,

QUOTE
I'm downloadingjdk-6u20-win but I didn't see anything for required files for offline installation. I just clicked the download button and started saving it to my desktop. Is this a problem?

Look closer. I think you might be downloading the wrong version.

==========

QUOTE
Also, trend micro keeps displaying that tdsskiller.exe is a problem. Can I delete all the programs you had me run, combofix,gmer... or should I hold on to them

Do not delete them yet. I will guide you how to uninstall our tools. It must be done in a certain way and a certain order.

Thanks for checking first thumbup2.gif
~ t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 kanifala

kanifala
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 25 June 2010 - 06:13 PM

Here is the malwarebytes log. The eset program didn't find any threats and didn't create a log. I did check the java version and it was the jdk 6 update 20 version. Actually I just realized i downloaded from the jdk button and not the jre button. I hope thats not bad

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4241

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/25/2010 6:13:58 PM
mbam-log-2010-06-25 (18-13-58).txt

Scan type: Quick scan
Objects scanned: 145360
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by kanifala, 25 June 2010 - 06:52 PM.


#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 25 June 2010 - 06:57 PM

Hello,

Congratulations! You now appear clean!

**********

You want JRE. wink.gif

**********

Please pay particularly close attention to the instructions that follow. To neglect these steps risk needless reinfection!!

**********

Are things running okay? Do you have any more questions?

**********

Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

  • The following will implement some very important cleanup procedures as well as reset System Restore points.

**********
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :OTL
    :Commands
    [CLEARALLRESTOREPOINTS]
    [resethosts]
    [emptytemp]
    [Reboot]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .


**********

Run OTL again

We will now remove the tools we used during this fix using OTL.
  • Double click the OTL icon to start the program.
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

**********

You may now right click and delete and logs or tools we used in the cleanup effort.

**********

Recommendations


Below are some recommendations to lower your chances of (re)infection.

  1. Install an Anti-Spyware program, and update it regularly
    Malwarebytes' Anti-Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.

    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.

  2. Prevention article : To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

  3. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.


    Windows XP

    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

  4. Keep your other software up to date as well. Software does not need to be made by Microsoft to be insecure. Download Secunia Software Inspector to keep all your software up to date.

  5. Consider Firefox as your primary browser. Its safer, fast and secure!

  6. Install WOT. Never inadvertently surf to a dangerous website again.

  7. Consider running your browser Sandboxed with Sandboxie. You decide what actually get's into your OS!!

  8. Install NoScript. Pre-emptively blocks malicious scripts and allows JavaScript, Java and other potentially dangerous content only from sites you trust.

  9. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.

**********

Good luck & safe surfing,
Kind Regards,
~ t


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 kanifala

kanifala
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 25 June 2010 - 08:26 PM

Ok I did everything and all seems to working a ok! Thank you so much for your help. You guys deserve a lot of credit for helping people at the expense of your own time. I will definitely recommend you to anybody I know who has trouble with malware. It's greatly appreciated.

kanifala






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users