Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Alureon and Java Exploit


  • This topic is locked This topic is locked
15 replies to this topic

#1 CarmelOak

CarmelOak

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 10 August 2010 - 11:25 PM

I couldn't post a DDS log here before, so I got help in this thread. With that fixed problem fixed I can now post the logs. Here is the original problem, DDS Log, and Attach and Ark attachments. Since I created those logs I've had to run Malwarebytes' Anti-Malware , ATF, and SAS to fix the previous problem, so these old logs may not still be accurate. If I need to re-run them let me know.

I'm running Windows XP and using Trend Micro Internet Security for the firewall and real time antivirus. I used to manually update Windows a couple times a week but a few months ago I switched to automatic updates. A couple of days ago I tried to manually update Windows and got an error message at the Windows website. I tried all their fixes but nothing worked. I ran Windows Malicious Software Removal tool and it identified 2 problems, Alureon and some Jave exploit. MSR was only able to partially remove them, and they're still there. Trend Micro's online tools didn't touch them either.

All the preparation steps went smoothly except the Gmer. The first time I ran it after about 3 minutes I got a "encountered a problem and needs to close" message. It closed Gmer and I simply re-opened it and started the scan again. After running for about 4 hours the scan completed and I was able to save the log. However, once the log was saved my computer completely froze and I couldn't close, open, or Ctrl-Alt-Del anything. I had to shut down using the power button. Once I restarted it was fine.


DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 7:30:11.59 on Sat 08/07/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1288 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Logitech Vid\vid.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Logitech\Logitech Vid\LU\LULnchr.exe
C:\Program Files\Logitech\Logitech Vid\LU\LogitechUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wunderground.com/US/TX/Denton.html
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmode
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" -"http://www.scholastic.com/clifford/play/specklegame/index.htm"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] "rundll32.exe" ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: []
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Lexmark 3100 Series] "c:\program files\lexmark 3100 series\lxbrbmgr.exe"
mRun: [LXBRKsk] c:\progra~1\lexmar~1\LXBRKsk.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DXM6Patch_981116] c:\windows\p_981116.exe /Q:A
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autode~1.lnk - c:\program files\iconcepts music express\MEAutoDetect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: trymedia.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196a.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162619903734
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166276735125
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-5-11 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-5-11 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-5-11 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-5-11 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-5-11 335376]

=============== Created Last 30 ================

2010-08-07 05:20:59 0 ----a-w- c:\documents and settings\hp_administrator\defogger_reenable
2010-08-05 12:19:24 37248 ----a-w- c:\windows\system32\drivers\npcmknwg.sys
2010-08-04 22:35:35 37248 ----a-w- c:\windows\system32\drivers\gcqhhziv.sys
2010-08-03 10:37:35 37248 ----a-w- c:\windows\system32\drivers\nndpblad.sys
2010-08-03 03:37:50 37248 ----a-w- c:\windows\system32\drivers\whcbyqev.sys
2010-08-03 00:54:35 0 d-----w- c:\windows\system32\MpEngineStore
2010-07-31 00:08:29 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Intelli-studio
2010-07-31 00:08:27 0 d-----w- c:\program files\Samsung

==================== Find3M ====================

2010-08-07 03:45:25 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-07-20 11:53:20 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-20 11:53:16 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-07-18 19:48:22 11264 ----a-w- c:\windows\DCEBoot.exe
2006-11-04 02:46:32 22 --sha-w- c:\windows\sminst\HPCD.sys
2008-06-01 02:00:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008053120080601\index.dat

============= FINISH: 7:31:37.20 ===============

Thanks for taking a look at this.

Attached Files


Edited by CarmelOak, 10 August 2010 - 11:32 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:38 AM

Posted 12 August 2010 - 02:45 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 CarmelOak

CarmelOak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 12 August 2010 - 07:32 PM

Hi, I turned off my Trend Micro real time scanning and exited the program before running, but ComboFix still recognized it at being on though.


ComboFix 10-08-12.02 - HP_Administrator 08/12/2010 19:21:38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1405 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\service
c:\windows\system32\service\01012010_TIS17_SfFniAU.log
c:\windows\system32\service\01022010_TIS17_SfFniAU.log
c:\windows\system32\service\01062009_TIS17_SfFniAU.log
c:\windows\system32\service\01092009_TIS17_SfFniAU.log
c:\windows\system32\service\01102009_TIS17_SfFniAU.log
c:\windows\system32\service\02012010_TIS17_SfFniAU.log
c:\windows\system32\service\02032010_TIS17_SfFniAU.log
c:\windows\system32\service\02052010_TIS17_SfFniAU.log
c:\windows\system32\service\02062009_TIS17_SfFniAU.log
c:\windows\system32\service\02112009_TIS17_SfFniAU.log
c:\windows\system32\service\03012010_TIS17_SfFniAU.log
c:\windows\system32\service\03062009_TIS17_SfFniAU.log
c:\windows\system32\service\03082009_TIS17_SfFniAU.log
c:\windows\system32\service\03092009_TIS17_SfFniAU.log
c:\windows\system32\service\04022010_TIS17_SfFniAU.log
c:\windows\system32\service\04032010_TIS17_SfFniAU.log
c:\windows\system32\service\04062010_TIS17_SfFniAU.log
c:\windows\system32\service\05012010_TIS17_SfFniAU.log
c:\windows\system32\service\05022010_TIS17_SfFniAU.log
c:\windows\system32\service\05052010_TIS17_SfFniAU.log
c:\windows\system32\service\05082009_TIS17_SfFniAU.log
c:\windows\system32\service\06012010_TIS17_SfFniAU.log
c:\windows\system32\service\06042010_TIS17_SfFniAU.log
c:\windows\system32\service\06052010_TIS17_SfFniAU.log
c:\windows\system32\service\06062009_TIS17_SfFniAU.log
c:\windows\system32\service\06072009_TIS17_SfFniAU.log
c:\windows\system32\service\06082009_TIS17_SfFniAU.log
c:\windows\system32\service\06082010_TIS17_SfFniAU.log
c:\windows\system32\service\06112009_TIS17_SfFniAU.log
c:\windows\system32\service\07062009_TIS17_SfFniAU.log
c:\windows\system32\service\07072009_TIS17_SfFniAU.log
c:\windows\system32\service\07082009_TIS17_SfFniAU.log
c:\windows\system32\service\08012010_TIS17_SfFniAU.log
c:\windows\system32\service\08062009_TIS17_SfFniAU.log
c:\windows\system32\service\08072009_TIS17_SfFniAU.log
c:\windows\system32\service\08092009_TIS17_SfFniAU.log
c:\windows\system32\service\08102009_TIS17_SfFniAU.log
c:\windows\system32\service\08112009_TIS17_SfFniAU.log
c:\windows\system32\service\08122009_TIS17_SfFniAU.log
c:\windows\system32\service\09072009_TIS17_SfFniAU.log
c:\windows\system32\service\09112009_TIS17_SfFniAU.log
c:\windows\system32\service\09122009_TIS17_SfFniAU.log
c:\windows\system32\service\10012010_TIS17_SfFniAU.log
c:\windows\system32\service\10032010_TIS17_SfFniAU.log
c:\windows\system32\service\10072009_TIS17_SfFniAU.log
c:\windows\system32\service\10092009_TIS17_SfFniAU.log
c:\windows\system32\service\10102009_TIS17_SfFniAU.log
c:\windows\system32\service\11012010_TIS17_SfFniAU.log
c:\windows\system32\service\11032010_TIS17_SfFniAU.log
c:\windows\system32\service\11062009_TIS17_SfFniAU.log
c:\windows\system32\service\11082009_TIS17_SfFniAU.log
c:\windows\system32\service\11092009_TIS17_SfFniAU.log
c:\windows\system32\service\11102009_TIS17_SfFniAU.log
c:\windows\system32\service\11112009_TIS17_SfFniAU.log
c:\windows\system32\service\11122009_TIS17_SfFniAU.log
c:\windows\system32\service\12032010_TIS17_SfFniAU.log
c:\windows\system32\service\12042010_TIS17_SfFniAU.log
c:\windows\system32\service\12052010_TIS17_SfFniAU.log
c:\windows\system32\service\12062009_TIS17_SfFniAU.log
c:\windows\system32\service\12072009_TIS17_SfFniAU.log
c:\windows\system32\service\12102009_TIS17_SfFniAU.log
c:\windows\system32\service\13012010_TIS17_SfFniAU.log
c:\windows\system32\service\13062009_TIS17_SfFniAU.log
c:\windows\system32\service\13072009_TIS17_SfFniAU.log
c:\windows\system32\service\13102009_TIS17_SfFniAU.log
c:\windows\system32\service\14012010_TIS17_SfFniAU.log
c:\windows\system32\service\14022010_TIS17_SfFniAU.log
c:\windows\system32\service\14042010_TIS17_SfFniAU.log
c:\windows\system32\service\14052010_TIS17_SfFniAU.log
c:\windows\system32\service\14062010_TIS17_SfFniAU.log
c:\windows\system32\service\14122009_TIS17_SfFniAU.log
c:\windows\system32\service\15032010_TIS17_SfFniAU.log
c:\windows\system32\service\15052010_TIS17_SfFniAU.log
c:\windows\system32\service\15062009_TIS17_SfFniAU.log
c:\windows\system32\service\15062010_TIS17_SfFniAU.log
c:\windows\system32\service\15072009_TIS17_SfFniAU.log
c:\windows\system32\service\15092009_TIS17_SfFniAU.log
c:\windows\system32\service\16012010_TIS17_SfFniAU.log
c:\windows\system32\service\16052009_TIS17_SfFniAU.log
c:\windows\system32\service\16062010_TIS17_SfFniAU.log
c:\windows\system32\service\16072009_TIS17_SfFniAU.log
c:\windows\system32\service\16082009_TIS17_SfFniAU.log
c:\windows\system32\service\16112009_TIS17_SfFniAU.log
c:\windows\system32\service\17012010_TIS17_SfFniAU.log
c:\windows\system32\service\17032010_TIS17_SfFniAU.log
c:\windows\system32\service\17042010_TIS17_SfFniAU.log
c:\windows\system32\service\17052009_TIS17_SfFniAU.log
c:\windows\system32\service\17082009_TIS17_SfFniAU.log
c:\windows\system32\service\17092009_TIS17_SfFniAU.log
c:\windows\system32\service\17102009_TIS17_SfFniAU.log
c:\windows\system32\service\17112009_TIS17_SfFniAU.log
c:\windows\system32\service\18012010_TIS17_SfFniAU.log
c:\windows\system32\service\18052009_TIS17_SfFniAU.log
c:\windows\system32\service\18082009_TIS17_SfFniAU.log
c:\windows\system32\service\18102009_TIS17_SfFniAU.log
c:\windows\system32\service\19012010_TIS17_SfFniAU.log
c:\windows\system32\service\19022010_TIS17_SfFniAU.log
c:\windows\system32\service\19052009_TIS17_SfFniAU.log
c:\windows\system32\service\19052010_TIS17_SfFniAU.log
c:\windows\system32\service\20052010_TIS17_SfFniAU.log
c:\windows\system32\service\20092009_TIS17_SfFniAU.log
c:\windows\system32\service\20112009_TIS17_SfFniAU.log
c:\windows\system32\service\21052010_TIS17_SfFniAU.log
c:\windows\system32\service\21062010_TIS17_SfFniAU.log
c:\windows\system32\service\21082009_TIS17_SfFniAU.log
c:\windows\system32\service\21092009_TIS17_SfFniAU.log
c:\windows\system32\service\21102009_TIS17_SfFniAU.log
c:\windows\system32\service\22022010_TIS17_SfFniAU.log
c:\windows\system32\service\22042010_TIS17_SfFniAU.log
c:\windows\system32\service\22052009_TIS17_SfFniAU.log
c:\windows\system32\service\22052010_TIS17_SfFniAU.log
c:\windows\system32\service\22072010_TIS17_SfFniAU.log
c:\windows\system32\service\22092009_TIS17_SfFniAU.log
c:\windows\system32\service\23032010_TIS17_SfFniAU.log
c:\windows\system32\service\23052010_TIS17_SfFniAU.log
c:\windows\system32\service\23062009_TIS17_SfFniAU.log
c:\windows\system32\service\23072009_TIS17_SfFniAU.log
c:\windows\system32\service\23072010_TIS17_SfFniAU.log
c:\windows\system32\service\24022010_TIS17_SfFniAU.log
c:\windows\system32\service\24082009_TIS17_SfFniAU.log
c:\windows\system32\service\24122009_TIS17_SfFniAU.log
c:\windows\system32\service\25012010_TIS17_SfFniAU.log
c:\windows\system32\service\25022010_TIS17_SfFniAU.log
c:\windows\system32\service\25032010_TIS17_SfFniAU.log
c:\windows\system32\service\25052010_TIS17_SfFniAU.log
c:\windows\system32\service\25072009_TIS17_SfFniAU.log
c:\windows\system32\service\25072010_TIS17_SfFniAU.log
c:\windows\system32\service\25092009_TIS17_SfFniAU.log
c:\windows\system32\service\25102009_TIS17_SfFniAU.log
c:\windows\system32\service\26012010_TIS17_SfFniAU.log
c:\windows\system32\service\26042010_TIS17_SfFniAU.log
c:\windows\system32\service\26052009_TIS17_SfFniAU.log
c:\windows\system32\service\26052010_TIS17_SfFniAU.log
c:\windows\system32\service\26072010_TIS17_SfFniAU.log
c:\windows\system32\service\26102009_TIS17_SfFniAU.log
c:\windows\system32\service\27012010_TIS17_SfFniAU.log
c:\windows\system32\service\27052010_TIS17_SfFniAU.log
c:\windows\system32\service\27062009_TIS17_SfFniAU.log
c:\windows\system32\service\27072009_TIS17_SfFniAU.log
c:\windows\system32\service\27082009_TIS17_SfFniAU.log
c:\windows\system32\service\27122009_TIS17_SfFniAU.log
c:\windows\system32\service\28012010_TIS17_SfFniAU.log
c:\windows\system32\service\28032010_TIS17_SfFniAU.log
c:\windows\system32\service\28052010_TIS17_SfFniAU.log
c:\windows\system32\service\28072009_TIS17_SfFniAU.log
c:\windows\system32\service\28082009_TIS17_SfFniAU.log
c:\windows\system32\service\28092009_TIS17_SfFniAU.log
c:\windows\system32\service\28102009_TIS17_SfFniAU.log
c:\windows\system32\service\28122009_TIS17_SfFniAU.log
c:\windows\system32\service\29032010_TIS17_SfFniAU.log
c:\windows\system32\service\29052010_TIS17_SfFniAU.log
c:\windows\system32\service\29082009_TIS17_SfFniAU.log
c:\windows\system32\service\30032010_TIS17_SfFniAU.log
c:\windows\system32\service\30052009_TIS17_SfFniAU.log
c:\windows\system32\service\30062009_TIS17_SfFniAU.log
c:\windows\system32\service\30062010_TIS17_SfFniAU.log
c:\windows\system32\service\30072009_TIS17_SfFniAU.log
c:\windows\system32\service\30102009_TIS17_SfFniAU.log
c:\windows\system32\service\30112009_TIS17_SfFniAU.log
c:\windows\system32\service\31082009_TIS17_SfFniAU.log
c:\windows\system32\service\31102009_TIS17_SfFniAU.log
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-07-13 to 2010-08-13 )))))))))))))))))))))))))))))))
.

2010-08-12 00:33 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-08 04:01 . 2010-08-08 04:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch
2010-08-08 03:59 . 2010-08-08 03:59 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-08 03:59 . 2010-08-08 03:59 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-08 03:59 . 2010-08-08 03:59 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-08 03:59 . 2010-08-08 03:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-08-08 03:43 . 2010-08-08 03:43 63488 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-08 03:43 . 2010-08-08 03:43 52224 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-08 03:43 . 2010-08-08 03:43 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-08 03:42 . 2010-08-08 03:42 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2010-08-08 03:42 . 2010-08-08 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-08 03:42 . 2010-08-08 03:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-08 03:05 . 2010-08-08 03:05 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-08-08 03:05 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 03:05 . 2010-08-08 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-08 03:05 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 03:05 . 2010-08-08 03:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-05 12:19 . 2010-08-05 12:19 37248 ----a-w- c:\windows\system32\drivers\npcmknwg.sys
2010-08-04 22:35 . 2010-08-04 22:35 37248 ----a-w- c:\windows\system32\drivers\gcqhhziv.sys
2010-08-03 10:37 . 2010-08-03 10:37 37248 ----a-w- c:\windows\system32\drivers\nndpblad.sys
2010-08-03 03:37 . 2010-08-03 03:37 37248 ----a-w- c:\windows\system32\drivers\whcbyqev.sys
2010-08-03 00:54 . 2010-08-05 12:19 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-31 00:08 . 2010-07-31 00:12 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Intelli-studio
2010-07-31 00:08 . 2010-07-31 00:08 -------- d-----w- c:\program files\Samsung

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-13 00:07 . 2010-05-30 19:07 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Skype
2010-08-11 03:32 . 2004-08-10 04:00 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-08-07 20:13 . 2008-09-26 01:10 -------- d-----w- c:\program files\Diablo II
2010-08-07 03:45 . 2009-05-12 02:26 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-08-05 09:50 . 2009-09-09 00:56 -------- d-----w- c:\program files\Windows Live Safety Center
2010-07-27 00:01 . 2010-05-30 19:11 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\skypePM
2010-07-20 11:53 . 2010-06-15 01:18 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-20 11:53 . 2010-06-15 01:16 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-07-18 19:48 . 2010-01-05 01:18 11264 ----a-w- c:\windows\DCEBoot.exe
2010-07-06 00:47 . 2009-09-09 00:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HpUpdate
2010-06-30 12:31 . 2004-08-10 04:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2004-08-10 04:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-10 04:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-10 04:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-10 04:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-10 04:00 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-15 01:19 . 2009-12-13 22:21 -------- d-----w- c:\program files\Logitech
2010-06-14 14:31 . 2004-08-10 04:00 744448 ------w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-10 04:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-05-30 19:11 . 2010-05-30 19:11 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-27 01:43 . 2010-05-27 01:43 503808 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7584934b-n\msvcp71.dll
2010-05-27 01:43 . 2010-05-27 01:43 499712 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7584934b-n\jmc.dll
2010-05-27 01:43 . 2010-05-27 01:43 348160 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7584934b-n\msvcr71.dll
2006-11-04 02:46 . 2006-11-04 02:46 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-16 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-04 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"DXM6Patch_981116"="c:\windows\p_981116.exe" [1998-12-01 497376]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Auto Detect.lnk - c:\program files\iConcepts Music Express\MEAutoDetect.exe [2010-1-11 270336]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-8-17 36903]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-17 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-17 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [5/11/2009 9:20 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [5/11/2009 9:20 PM 335376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [5/11/2009 9:26 PM 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [5/11/2009 9:26 PM 497008]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [5/11/2009 9:27 PM 677128]
.
Contents of the 'Scheduled Tasks' folder

2010-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-02 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wunderground.com/US/TX/Denton.html
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
Trusted Zone: trymedia.com
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-12 19:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-08-12 19:27:44
ComboFix-quarantined-files.txt 2010-08-13 00:27

Pre-Run: 103,066,746,880 bytes free
Post-Run: 103,047,282,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - CED0F3D58D587A3DB5DF434BB9D4DC41

Edited by CarmelOak, 12 August 2010 - 07:34 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:38 AM

Posted 13 August 2010 - 02:58 PM

Good evening. smile.gif

QUOTE
Let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#5 CarmelOak

CarmelOak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 13 August 2010 - 05:49 PM

Good evening! Sorry, I missed the "let me know" part. I could probably help you more if I did what you asked, eh?

The only way I knew I had the virus was because I couldn't use Microsoft Update, I never noticed any other issues. I am now able to successfully go to and download Microsoft Updates. When I realized the computer was infected I only used the computer to log on here because I didn't want to risk making things worse. Since the only symptom I noticed is now corrected it appears to be fine.

Is there anything else I need to run or check?

Edited by CarmelOak, 13 August 2010 - 05:50 PM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:38 AM

Posted 14 August 2010 - 01:45 PM

Good evening. smile.gif

I think a little scan would be a good idea, just as a second opinion.

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#7 CarmelOak

CarmelOak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 14 August 2010 - 10:01 PM

Thanks for the advice, here are the logs you requested:

Malwarebytes' Anti-Malware Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4430

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

8/14/2010 8:05:46 PM
mbam-log-2010-08-14 (20-05-46).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 298280
Time elapsed: 1 hour(s), 16 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



DDS Log

DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 21:34:52.58 on Sat 08/14/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1245 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\Logitech Vid\vid.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Logitech\Logitech Vid\LU\LULnchr.exe
C:\Program Files\Logitech\Logitech Vid\LU\LogitechUpdate.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wunderground.com/US/TX/Denton.html
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmode
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" -"http://www.scholastic.com/clifford/play/specklegame/index.htm"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] "rundll32.exe" ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Lexmark 3100 Series] "c:\program files\lexmark 3100 series\lxbrbmgr.exe"
mRun: [LXBRKsk] c:\progra~1\lexmar~1\LXBRKsk.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DXM6Patch_981116] c:\windows\p_981116.exe /Q:A
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autode~1.lnk - c:\program files\iconcepts music express\MEAutoDetect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: trymedia.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196a.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162619903734
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166276735125
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-5-11 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-5-11 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-5-11 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-5-11 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-5-11 335376]

=============== Created Last 30 ================

2010-08-13 22:54:24 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-13 00:20:10 0 d-sha-r- C:\cmdcons
2010-08-13 00:16:28 98816 ----a-w- c:\windows\sed.exe
2010-08-13 00:16:28 77312 ----a-w- c:\windows\MBR.exe
2010-08-13 00:16:28 256512 ----a-w- c:\windows\PEV.exe
2010-08-13 00:16:28 161792 ----a-w- c:\windows\SWREG.exe
2010-08-12 00:33:18 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-08 03:42:30 0 d-----w- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2010-08-08 03:42:30 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-08 03:42:21 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-08 03:05:38 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2010-08-08 03:05:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 03:05:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 03:05:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-08 03:05:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-07 05:20:59 0 ----a-w- c:\documents and settings\hp_administrator\defogger_reenable
2010-08-05 12:19:24 37248 ----a-w- c:\windows\system32\drivers\npcmknwg.sys
2010-08-04 22:35:35 37248 ----a-w- c:\windows\system32\drivers\gcqhhziv.sys
2010-08-03 10:37:35 37248 ----a-w- c:\windows\system32\drivers\nndpblad.sys
2010-08-03 03:37:50 37248 ----a-w- c:\windows\system32\drivers\whcbyqev.sys
2010-08-03 00:54:35 0 d-----w- c:\windows\system32\MpEngineStore
2010-07-31 00:08:29 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Intelli-studio
2010-07-31 00:08:27 0 d-----w- c:\program files\Samsung

==================== Find3M ====================

2010-08-11 03:32:36 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-08-07 03:45:25 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-20 11:53:20 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-20 11:53:16 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-07-18 19:48:22 11264 ----a-w- c:\windows\DCEBoot.exe
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:06:51 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-23 12:06:51 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 15:12:57 634656 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-06-17 15:11:25 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2010-06-17 14:03:00 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2006-11-04 02:46:32 22 --sha-w- c:\windows\sminst\HPCD.sys
2008-06-01 02:00:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008053120080601\index.dat

============= FINISH: 21:35:32.52 ===============

Even though you didn't ask for it I went ahead and added the Attach file since it was automatically created when I ran the DDS. As for how the computer is acting, I can't tell any difference from before I was infected. Everything seems to be OK and running fine. Since there was as Java exploit in my original scan I went ahead and updated my Java. However, when I ran Onecare Safety Scanner from Microsoft I came up with the following "severe" issues:

Exploit:Java/CVE-2008-5353.JJ
Exploit:Java/CVE-2009-3867.HD
TrojanDownloader:Java/OpenConnection.ES

I thought I was good, but obviously I'm not. What do I need to do next?

Attached Files


Edited by CarmelOak, 15 August 2010 - 04:02 AM.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:38 AM

Posted 15 August 2010 - 02:17 PM

Good evening. smile.gif

Do you have files or folder names or registry keys for those detections? Unfortunately generic names don't offer a great deal to work with.

So long, and thanks for all the fish.

 

 


#9 CarmelOak

CarmelOak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 15 August 2010 - 09:00 PM

Hi, here is more info for you from the Windows Onecare Safety Scanner:

Exploit:Java/CVE-2008-5353.JJ
c:\documents and settings\hp_administrator\application data\sun\java\deployment\cache\6.0\30\43523b5e-5d39b6f3
dev/s/loaderx.class
Unable to clean

Exploit:Java/CVE-2009-3867.HD
c:\documents and settings\hp_administrator\application data\sun\java\deployment\cache\6.0\30\43523b5e-5d39b6f3
dev/s/adgredy.class
Unable to clean

TrojanDownloader:Java/OpenConnection.ES
c:\documents and settings\hp_administrator\application data\sun\java\deployment\cache\6.0\30\43523b5e-5d39b6f3
dev/s/dyesyasz.class
Unable to clean

As for computer performance, it is pretty slow but appears to be functioning normally.

Edited by CarmelOak, 15 August 2010 - 09:01 PM.


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:38 AM

Posted 16 August 2010 - 01:47 PM

Good evening. smile.gif

As your version of Sun Java needs updating, we'll deal with this all in one go:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):
Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***
  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The difficulty with speed issues is that it is hard to nail down the exact cause. The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.
  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

Let me know how you get on.

So long, and thanks for all the fish.

 

 


#11 CarmelOak

CarmelOak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 17 August 2010 - 10:22 PM

Alright, I followed those steps but while the JavaRa was running it created an error message and closed. I restarted it and it then ran successfully and created a log. I was then able to run the Java installer without issue. I then ran a Microsoft Safety Scan and it still showed the same 3 Java exploits.

I then went and manually deleted the files that were showing exploits, and ran JavaRa again. This time JavaRa ran flawlessly without issues. I ran a Microsoft Safety Scan and it came back clean. I then ran the Java installer and it went without error. After it was done I restarted and ran the Microsoft Safety Scan which showed no problems.

As before, the computer seems to be running fine, just slow. I have not followed your “speed up” steps yet as I want to make sure I’m clean first. Then I need to make a recovery point as all mine were corrupted. Once that’s done I plan on using the cleanup/speedup process you gave me. Do you think the issues are fixed, and how do I verify that?


#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:38 AM

Posted 18 August 2010 - 02:41 PM

Good evening. smile.gif

Nice job.

QUOTE
Do you think the issues are fixed, and how do I verify that?

Yes, and "Do you have any of the symptoms that brought you here?".

So long, and thanks for all the fish.

 

 


#13 CarmelOak

CarmelOak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 21 August 2010 - 08:32 AM

Sorry for the delay, I have not been able to work on this for a few days. Here are the steps I have taken:

Ran Malwarebytes' Anti-Malware – clean
Ran Microsoft Safety Scanner – clean
Ran SUPERAntiSpyware – clean
Ran Trend Micro Internet Security – clean
Successfully upated using Windows/Microsoft Update (Not being able to update was the original symptom)

There is no sign of a virus in the way the computer is running and those 4 programs turned up nothing. I’m going to call this computer fixed. I cannot thank you enough. I am looking forward to your final post that provides a donation link. Now, what do I do with the following items I have downloaded/created?

DDS program
DDS log
DDS attach
GMer program
GMer ark log
Attribune's ATF Cleaner program
SUPERAntiSpyware program
SUPERAntiSpyware log
TDSSKiller program
TDSSKiller log
Combofix program
Combofix log
Malwarebytes' Anti-Malware program
Malwarebytes' Anti-Malware log
Java program
JavaRa program
JavaRa log

Is it safe to uninstall/delete all these?

Edited by CarmelOak, 21 August 2010 - 08:34 AM.


#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:38 AM

Posted 21 August 2010 - 02:51 PM

Good evening. smile.gif

DDS program
DDS log
DDS attach

GMer program
GMer ark log

TDSSKiller program
TDSSKiller log

Delete. DDS is occasionally updated and it's such a small download that it isn't a big issue to get a fresh copy if needed. Likewise GMER and TDSSKiller

Java program
JavaRa program
JavaRa log

Delete - assuming you mean the Java installer and not Java itself.

Attribune's ATF Cleaner program
It's a handy way to remove junk files from your machine so i'd keep it.

SUPERAntiSpyware program
SUPERAntiSpyware log

Malwarebytes' Anti-Malware program
Malwarebytes' Anti-Malware log

I would have at least one scanner on top of your AV to double check things - different scanners target different items. If you alternate which of the above scanners go first and one never picks up anything after the other then you can uninstall the deadwood. The logs can stay or go as you see fit.

Combofix program
Combofix log

This one has a built-in uninstallation option - see below.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

QUOTE
I am looking forward to your final post that provides a donation link.

Neither the site nor I accept donations. Grinler allegedly turned to robbing banks as a steadier source of site income (but don't let the Bureau know! whistling.gif) and as others freely provide the tools that I use it's hardly fair if I take the credit, and the cash, for the results - nice thought though. in_love.gif

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

One task left that I can see:

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.

So long, and thanks for all the fish.

 

 


#15 CarmelOak

CarmelOak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 24 August 2010 - 08:04 PM

Thanks again. Everything appear to be in great shape. I cannot begin to express how much I appreciate the help you've given me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users