Posted 26 October 2010 - 03:56 PM
Howdy everyone, Detailed description coming so get comfortable please.
As a writer, I visit a variety of places to gather information and do research. Some of these places are not the best to visit and I understand that. I have paid for antivirus from Trend and up to this point I have been fine. I am proficient in computers, but there are items that are over my head. Such is my case today and why I am here. I found Bleeping Computer after I run Hijack This via Trend.
I went through the Preparation guide, and did all that. I think I did everything correct. If not please tell me. I did have a lock up while working with the gmer zip file. I run Professional XP, NTSF, and the unzipper is internal so I did not get to the "uncheck items" before it did a scan. Once I did get to that page, and unchecked all that needed to be unchecked, I redid the scan and that log follows.
My specific problem began last Friday while I was working doing some research about the Furry culture, Trend jumped up unexpectadly. I stopped my research and backed away and did a scan. Trend found nothing. Since then, Trend has been jumping up on a variety of websites that it did not previously. I checked my settings, all is fine there. Trend found malware yesterday, from a program download that I paid for previously. The program is knowm far and wide as Evrsoft First Page 2006. That is the program I use to build my websites. This program worked fine before Friday. Sunday night it crashed and would not re-start. I run my antivirus, nothing found. Went to the site, got a fresh download, and once the download finished, and I tried to install, that is when I found a malware critter Trend identified as GRAY_Gen.CZ0046. Went to Trend, could find nothing on this critter. This critter is in my Trend Quarantine files. I searched my machine, could not find this critter anywhere. Looked in the file it was reported in by the Trend report, C:\System Volume Information\_restore{63B5F209-732E-4D83-A579-FE6474476174}\RP63\A0011067.exe I could not find it and I have my system set to show me all files. Yesterday, Monday, I began getting this popup that said it was from AOL. I use AOL on a bring your own connection setup. When AOL sends out an update, I get the update when I sign on to the service. This popup however, came up when I was not on AOL. Looked in my AOL folder, could not find anything out of place. Asked AOL if they recently sent out an update. Still waiting to hear back from them.
I do not allow remote assistance on my machine. I have enough trouble with online theft of my work as it is. Do not want something out before it is published. I found that turned on, reset it to off. System Restore I had turned off also a good time back. While checking things, I checked and found my settings changed to allow for system restore. I reset to what I wanted, and did a restart. Continuing on with my search of my puter I also found that my windows firewall was turned off, turned it back on. Checked Trend, it is on and fine as far as I can tell. Popup blocker is on but apparently not working. I'm getting popups all over the place.
Folks I've been through my machine as best I can and I do not know what else to do to clean this machine. I do not want to, but if you folks here cannot help me clean this machine, I will do a complete strip and dip, and a complete reinstall. I am hoping we can clean this up. This is a big machine I really do not want to strip and dip.
Thank You,
Castoffpolite
AE. Roud
S. Behr
DDS.text file
DDS (Ver_10-10-21.02) - NTFSx86
Run by User at 12:44:51.46 on Tue 10/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.368 [GMT -6:00]
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\AOL\1279333251\ee\AOLSoftware.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\aol\1279333251\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\User\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HostManager] c:\program files\common files\aol\1279333251\ee\AOLSoftware.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\user\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://www.king.com/ctl/kingcomie.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://pogo.oberon-media.com/online2/pogo/zenerchi/ZenerchiWeb.1.0.0.10.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-9-24 36432]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-9-24 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-9-24 51792]
R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-9-24 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-9-24 689416]
=============== Created Last 30 ================
2010-10-26 17:05:29 -------- d-----w- c:\windows\system32\NtmsData
2010-10-26 04:48:15 388096 ----a-r- c:\docume~1\user\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-26 03:30:01 -------- d-----w- C:\Dictionaries
2010-10-24 18:22:38 -------- d-----w- c:\docume~1\user\applic~1\BackToTheBeach
2010-10-24 16:13:19 -------- d-----w- c:\program files\Evrsoft First Page 2006
2010-10-22 22:52:25 -------- d-----w- c:\docume~1\user\applic~1\VirtualStore
2010-10-22 16:23:27 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Help
2010-10-19 18:49:04 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Unzip Wizard
2010-10-13 09:05:18 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-13 06:31:25 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 06:31:24 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 06:31:07 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-09-28 23:18:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\WEBREG
2010-09-28 23:16:35 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-09-28 23:16:34 278016 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp5mu.dll
2010-09-28 23:16:34 117760 ----a-w- c:\windows\system32\hpzll5mu.dll
2010-09-28 23:12:14 -------- d-----w- c:\program files\common files\HP
2010-09-28 23:10:14 -------- d-----w- c:\program files\HP
2010-09-28 23:10:08 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-09-28 23:10:08 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-09-28 23:10:05 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-09-28 23:10:05 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
==================== Find3M ====================
2010-09-24 07:48:05 661808 ----a-w- c:\windows\system32\UfWSC.cpl
2010-09-18 18:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-10 11:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 11:15:58 69632 -c--a-w- c:\windows\system32\QuickTime.qts
============= FINISH: 12:45:27.46 ===============