Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

fake windows vist repair virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 docluck

docluck

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 21 June 2011 - 08:10 PM

dds.txt log info:

.
DDS (Ver_2011-06-12.02) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421
Run by Back Office at 10:28:34 on 2011-06-21
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3060.2260 [GMT -7:00]
.
AV: Trend Micro Internet Security *Enabled/Updated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
SP: Trend Micro Internet Security *Enabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\helppane.exe
C:\Windows\system32\rstrui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2866295
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080710
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: Elf 1.15 Toolbar: {b9d63c58-90cc-428b-8d3b-cbb88eb07e7e} - c:\program files\elf_1.15\prxtbElf0.dll
mURLSearchHooks: Elf 1.15 Toolbar: {b9d63c58-90cc-428b-8d3b-cbb88eb07e7e} - c:\program files\elf_1.15\prxtbElf0.dll
BHO: {03d75863-3561-4280-8c80-e6254af0e257} - c:\windows\system32\atmfd32.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngin0.dll
BHO: 80c31883: {3adfdba3-ff9f-0f66-298d-7cce29197452} - c:\programdata\atmfd32.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Elf 1.15 Toolbar: {b9d63c58-90cc-428b-8d3b-cbb88eb07e7e} - c:\program files\elf_1.15\prxtbElf0.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Elf 1.15 Toolbar: {b9d63c58-90cc-428b-8d3b-cbb88eb07e7e} - c:\program files\elf_1.15\prxtbElf0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngin0.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DellNSCST_GRNCH] "c:\program files\dell\dell laser mfp 1815\networkscan\DNSCST.exe" /HIDEUI
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 71.132.143.1
TCP: Interfaces\{E16AFDD2-D458-445C-B091-CFE2B7FBBF9D} : DhcpNameServer = 71.132.143.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\programdata\atmfd32.dll c:\progra~1\google\google~2\goec62~1.dll,c:\programdata\atmfd32.dll
Hosts: 97.74.144.185 rinconchiro.com #source server
.
============= SERVICES / DRIVERS ===============
.
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2011-6-17 142352]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-5 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-7-10 47640]
S2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.sys [2008-8-22 5120]
S2 stisvc32;Windows Image Acquisition (WIA) ;c:\windows\system32\lftif13n32.exe [2011-6-17 764416]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-6-17 51792]
S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2011-6-17 36432]
S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2011-6-17 235024]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-7-10 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2011-6-17 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2011-6-17 648456]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-18 03:22:10 -------- d-----w- c:\windows\system32\log
2011-06-18 03:10:09 249424 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2011-06-18 03:10:09 1331512 ----a-w- c:\windows\system32\drivers\vsapint.sys
2011-06-18 03:10:08 66320 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-06-18 03:10:08 59472 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-06-18 03:10:08 51792 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-06-18 03:10:08 36432 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2011-06-18 03:10:08 235024 ----a-w- c:\windows\system32\drivers\tmwfp.sys
2011-06-18 03:10:08 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-06-18 03:10:08 142352 ----a-w- c:\windows\system32\drivers\tmlwf.sys
2011-06-18 02:42:35 764416 ----a-w- c:\programdata\fde32.exe
2011-06-18 02:42:35 169472 ----a-w- c:\programdata\atmfd32.dll
2011-06-18 02:42:33 764416 ----a-w- c:\windows\system32\lftif13n32.exe
2011-06-18 02:42:30 349696 ----a-w- c:\windows\system32\atmfd32.dll
2011-06-18 02:42:29 764416 ---ha-w- c:\users\back office\0.09216037021821055.exe
2011-06-18 02:25:38 -------- d--h--w- c:\programdata\Trend Micro
2011-06-18 02:25:36 -------- d--h--w- c:\program files\Trend Micro
2011-06-17 21:04:26 781796 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-06-17 20:41:34 410624 ---ha-w- c:\programdata\42260492.exe
2011-06-17 20:32:27 465920 ---ha-w- c:\programdata\GdfsjdvCUlN.exe
2011-06-17 08:30:44 6962000 ---ha-w- c:\programdata\microsoft\windows defender\definition updates\{3d89c280-9f23-4775-b012-85d197bb81a2}\mpengine.dll
2011-06-16 10:01:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-16 10:01:03 141104 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-06-16 10:01:02 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-15 20:11:29 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-15 20:11:21 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 20:11:20 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 20:11:20 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 20:11:18 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 20:11:07 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 20:11:06 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 20:11:06 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 20:11:06 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-15 20:11:04 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
.
==================== Find3M ====================
.
2011-06-16 18:39:22 87424 ---ha-w- c:\windows\system32\LMIinit.dll
2011-06-16 18:39:22 83360 ---ha-w- c:\windows\system32\LMIRfsClientNP.dll
2011-06-16 18:39:22 53632 ---ha-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-06-16 18:39:22 29568 ---ha-w- c:\windows\system32\LMIport.dll
2011-04-29 21:29:46 0 ---ha-w- c:\windows\system32\ConduitEngine.tmp
2011-04-06 23:20:16 91424 ---ha-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20:16 197920 ---ha-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:20:16 107808 ---ha-w- c:\windows\system32\dns-sd.exe
.
============= FINISH: 10:29:57.49 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:02:34 PM

Posted 30 June 2011 - 01:15 PM

Hello docluck and welcome to Bleeping Computer! :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. :thumbup2:

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download to your Desktop:
  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):
  • TDSSKiller_log.txt
how the PC is running now?


-------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.

-------------

Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:
  • TDSSKiller logfile
  • C:\ComboFix.txt
  • Security Check checkup.txt

How is your computer running now?

#3 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:02:34 PM

Posted 05 July 2011 - 11:59 AM

(bump)

Are you still with me? If your problems still persist, let me know and we'll go about fixing them. :wink:
If not, please let me know so I can close this topic.

-DFB

#4 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:02:34 PM

Posted 09 July 2011 - 11:18 PM

(last bump)

Are you still with me? If your problems still persist, let me know and we'll go about fixing them.

Otherwise, this topic will be closed in a few days.

-DFB

#5 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:02:34 PM

Posted 01 August 2012 - 02:02 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users